Top 10 Ethics & Compliance Trends for 2019

A NAVEX Global eBook
Top 10 Ethics & Compliance

Trends for 2019
Predictions & Recommendations for the Year Ahead
Table of Contents
I. Consumers, not Regulators, Are the New Enforcers of Global Business Practices 3
Author: Richard Young, Consulting Editor, Progressive Content
II. The Cost of Incivility in the Workplace 7

Author: Carrie Penman, Chief Compliance Officer & SVP, NAVEX Global
III. GDPR Enforcement and Regulation May Be Slow, But It’s Coming 11
Author: Shon Ramey, General Counsel, NAVEX Global
& Jessica Wilburn , Data Privacy Officer and Senior Counsel, NAVEX Global
IV. Groundbreaking Evidence on the ROI of Compliance Program Hotline Reporting 15

Author: Matt Kelly, CEO & Editor, Radical Compliance
V. Blurred Lines Between Protected Activity and Corporate Governance 18

Author: Gregory Keating, Partner, Choate, Hall & Stewart
VI. Incentivizing Ethics: What Does the Future Hold for Paying for Ethical Behavior? 21
Author: Ed Petry, Senior Advisor, NAVEX Global
VII. Third-Party Risk Is NOT Just About FCPA Anymore 25

Author: Kristy Grant-Hart, Author and CEO, Spark Compliance Consulting
VIII. Moving from Speculative to Realistic Conversations on Artificial Intelligence 29

Author: David Banks, Editor in Chief, Ethics & Compliance Matters Blog
IX. #MeToo: From Hashtag to Movement to New Normal 33

Author: Ingrid Fredeen, Vice President, Online Learning Content, NAVEX Global
X. Old Compliance Lessons Apply to New Compliance Trends 37

Author: Ed Petry, Senior Advisor, NAVEX Global
XI. About this Resource 39
Top 10 Ethics & Compliance Trends for 2019 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
Introduction
As we prepared for the publication of our 2019 Top 10 Ethics & Compliance
Trends, a common thread became evident: transparency. Whether it be a
company’s data use practices, its response to sexual harassment, or its efforts to
eliminate atrocities like human trafficking from supply chains – transparency will
define our industry’s challenges and opportunities in 2019.
Consider the “belief economy” businesses operate in today. More so than just product specs, consumers are buying
based on brand authenticity and ethical business practices. People want to work for, buy from, and support companies
that they believe will create ethical ripples beyond the transaction. This has positioned employees, consumers and the
public at large as the arbiters of business success. Even more than regulators, these groups disproportionately influence
brand reputations, and often have higher standards.
In this belief economy, employees want to believe in the mission of their employers, extending to not just what the
organization does, but also how it does it. Consumers are voting with their dollars to stand in support or opposition
of social movements, not just physical products. The public at large wants to be the force of corporate accountability.
And shareholders know all this and understand the bottom line depends on how we operate within these new norms.
This demand for transparency is a byproduct of the abuse of privacy on the behalf of corporations. Whether it is the
use of NDAs to suppress stories of harassment; cavalier processing of personal data; or blind eyes turned to fraudulent
business practices, corporate institutions face a wall of skepticism. This is not to say that all are at fault. But the reality
is that the few have changed the landscape for the rest, and all will be met with greater skepticism and pressure for
transparency as a prerequisite for future business.
We can also see this as a shift toward a culture of accountability. Here, protections like privacy and confidentiality that
previously insulated organizations are now inciting additional scrutiny. Concealing unsavory corporate circumstances
and ensuing disciplinary action (or inaction) is no longer always in a company’s best interest. Corporate observers see
unchecked privacy and confidentiality as the antithesis of transparency, and also a gateway to ethical complacency.
Often they are right. Whether by intent or neglect, lack of disclosure allows room for inaction. Transparency, on the
other hand, provides a powerful change agent in the form of employee, consumer and public accountability.
We cannot forget, however, that transparency is not the goal, but a means to an end – that end being trust.
In today’s climate of distrust (fake news, unmet promises, and corporate misdeeds), there is an opportunity for
corporations to take a leadership role and rebuild trust in their words and brands through action and commitment.
For that we need to be transparent in our business dealings, in our employee management, and our public relations.
That is how we will regain trust and remain successful in the modern belief economy.
1
1. Consumers, not Regulators, Are the New
Enforcers of Global Business Practices
By: Richard Young slew of one-star reviews on Amazon? It’s not an either/or
question, of course. But the poor reviews will
Over the past decade, three factors have shifted the hit your business a lot quicker.
way organizations perceive consumers, decide their
own practices, frame the way they communicate – and
even determine what they believe. First, the socialized
Consumer Anarcho-Syndicalism
economy has created new ways of seeing and sharing Social media has also been a vector for rampant
corporate behavior. Second, consumers are feeling populism. This is most visible in politics. From Presidents
empowered as never before. And, lastly, they’re starting across the globe to Brexit and les Gilets Jaunes, people
to take the initiative on perceived transgressions. are voting for “shake-up” candidates and taking direct
action against “the establishment.” These movements
These forces are a huge challenge for compliance teams. are often barely organized – but their members want
Simply “checking the box” was never a great idea when it their opinions respected.
came to meeting regulatory demands. But it’s a hopeless
approach for dealing with consumer expectations around Corporate policies or statements at odds with any given
ethics and business practices. The right policies, training brand of identity politics can instigate public opposition
and values in your code of conduct are vital – alongside in new ways. For example, sporting goods stores that
visible commitment to those values in everything you do. took an ethical stance on the minimum age for gun
buyers after a school shooting in 2018 saw sales decline.
The Socialized Economy

And whereas 30 years ago an organization might engage
Any conversation around consumer influence starts with an organized pressure group to address an ethical
with social media. Although the credibility of platforms issue, today’s movements are nebulous. There’s often no
such as Facebook is now in question, social networks one to negotiate with – as French President Macron has
remain a key catalyst for, and means of, amplifying found. This puts a premium on clear corporate strategy.
consumer sentiment. We can see the success or failure of these strategies
play out in polarizing ad campaigns from companies that
A viral post is now a far more effective driver of corporate tap into political leanings, drawing sharp lines between
change across a range of issues – from racism to conservative and liberal buyers. When done strategically,
corporate waste – than any new law. Just ask companies sales soar; when done less so, brand reputation wavers.
whose policies were thrown into a spin after a viral video
showed their business practices from an unflattering
vantage point.
The Consumer as Enforcer
In some cases, stakeholders are filling the spaces left
Put another way, what makes a bigger difference to your by relatively light regulatory enforcement. In the UK, for
business: conforming to a product safety standard, or a example, the Modern Slavery Act sets out clear criminal
3
them breaking the law. Customers now fill the gap
left by regulators hampered by jurisdictional or
procedural questions in a range of areas – ready to
flag up even suspected breaches with considerable
commercial consequences.
It All Comes Down to Trust

& Transparency
Underpinning these forces is declining trust. A decade
ago, the global financial crisis caused a fundamental
break in consumer faith. There remains a deeply
embedded suspicion – perhaps even cynicism –
about business and finance. Research shows trust is
still evaporating.
Many brands recognize regulatory compliance is not

enough to disrupt a decade of distrust. Aside from
securing millennial spending (actually, lots of older
people care about transparent, trustworthy businesses
too…), ethical behavior is needed to win over key talent.
Nowhere is the consumer-as-regulator more obvious than

in the digital space. In 2018, GDPR and other regulations
shook the business world. But even the potential fines – 4
percent of global parent company turnover for GDPR –
pale next to the erosion of trust, the most valuable asset
in a hyper-connected world.
Social apps are disappearing off young people’s

phones; other platforms are seeing growth stall;
Google’s evidence to congress was challenged in
the face of a barrage of negative stories. In each case,
offences related to human trafficking and slave labor.
trust in the organization and in its ability to serve the
In 2017, there were more than 300 police operations
consumer’s best interest – not meet regulations – is a
investigating possible violations of the Act. Yet most
key driver. Winning companies will increasingly be those
businesses can comply with the law simply by amending
that calibrate their ethics according to their consumers,
employment and contracting policies and, in the case
not regulators – and are open and authentic about their
of larger businesses, publishing an appropriate
intentions. This adds more credence to the maxim of
statement online.
doing well by doing good.
That means acts of slavery – and particularly child labor

– could still be part of a company’s supply chain without
4
Key Steps for Organizations to Take Be Clear & Calm
Consumers’ standards of evidence are far lower than
Aggressively Avoid Lip-Service regulators’. Transparent organizations can usually
Talking up your ethics code isn’t enough. You might need resolve allegations of unethical behavior faster than
to recalibrate your entire business model against an those whose systems hide the truth (even from their own
ethical yardstick. Internal and customer-facing processes management). That also means you panic less, get facts
should be transparent enough to win the trust of your more quickly, have well-defined processes to resolve
own people, regulators and your consumers. That also ethical breaches, and are seen as a company that acts.
means analyzing activity data from more and more
reliable sources. Understand Algorithmic Oversight
A big ethical issue in 2019 is the fairness of algorithms
Align Leadership Realistically – the building blocks of AI that are increasingly shaping
Leadership must live and breathe the ethics interactions with consumers. Prescient companies
communicated to staff and customers – and ensure are getting ahead of the issue with policies beyond
processes and policies, especially around incentives, back regulatory need. Lawmakers and companies themselves
them up. Over-promise and under-deliver on ethics, and can’t be sure how algorithmic decision-making affects
the backlash from consumers will be severe. society; so consumers will set the benchmark.
Follow the Money Audaciously Live Your Standards
Strong compliance means avoiding fines. But the Don’t be shy about showcasing how your leaders believe
stakeholders driving revenues (customers) and costs in your ethical approach and their commitment to
(suppliers) also make decisions on ethical grounds. And organization-wide policies to back it up. There’s more
they move faster than any regulator can. than just reputational value on offer. Publicly raising
ethical standards puts pressure on opaque business
practices in your industry. It’s a competitive advantage.
About the Author
Richard Young, Consulting Editor

Richard Young has been writing about business for 23 years. In 2001 he launched Real
Finance, editing the CFOs’ magazine until 2006 when he went freelance. He now divides
his time between agency Progressive Content; writing and editing for media outlets and
corporate clients; chairing conferences and events; and his own one-day workshop on
Better Business Writing.
5
2. The Cost of Incivility in
the Workplace
By: Carrie Penman The lack of personal ownership for integrity, civility
and general decency in the workplace puts more
The modern workplace may be finally undergoing responsibility on the organization to enforce those
a period of self-reflection as the demand for better behaviors. Organizational ownership of personal values,
and more civil working environments is moving to the however, is more expensive and less effective.
forefront. This demand is not new. Employees have
always framed the majority of reports made to ethics For instance, the EY report also found that the group that
and compliance hotlines as issues of respect and fair did not believe integrity was an individual’s responsibility
treatment. And too often these concerns are dismissed (i.e., 78 percent of the respondents) were “significantly
by leadership as whining or complaining – not related more likely to act inappropriately, including making
to the business and certainly not a “compliance issue.” cash payments to win or retain business. These same
Nothing could be further from the truth. respondents are also more likely to extend the monthly
reporting period or change assumptions that determine
The truth is that rude, abusive, harassing, and bullying valuations or reserves in order to meet financial targets.”
behavior has been costing organizations big-time for
decades. The cost is seen in decreased productivity, loss These are real compliance failures that can result
of top talent, stilted innovation, increased sick time, poor in very real regulatory enforcement. And while the
customer service and yes, serious compliance violations. compliance failure costs may be more easily quantified,
And when we include retaliatory behavior in this it is also critical to raise the flag on the interpersonal
definition, the legal costs and compliance risks go even consequences and the resulting non-regulatory cost
higher. Like harassment and retaliation, incivility in the of incivility.
workplace is often another form of abuse of power, and it
is important that we address all of these issues together
The Continuing Abundance of HR-
to truly change cultures.
related Hotline Reports
Let’s look at some numbers. In its 15th Global Fraud
If we turn to internal company hotlines and incident
Survey (2018), EY uncovered findings on a primary
management systems as our canary in the coal mine, we
indicator of corporate civility – integrity. When asked
see the magnitude of real, or at least perceived, incivility
who is responsible for integrity within the organization,
in our own organizations. Of all the cases reported
only 22 percent of respondents said that integrity is
to internal compliance hotlines in 2017, 72 percent
an individual’s responsibility. The other 78 percent
were HR-related reports. If you look specifically at the
of respondents said that corporate integrity is the
accommodation and food services industry, this
responsibility of either management, the board, HR or
number goes up to 85 percent.
the legal and compliance teams.
There are three key takeaways from this reality. First,

What’s important to understand is that these trends
an inordinate amount of HR and compliance resources
are not just social issues with just social consequences.
7
are commanded by employees dissatisfied with their When employees do not see
experience with others in their workplace as shown by
themselves as personally accountable
the volume of harassment, discrimination, retaliation and
other interpersonal workplace issues. Many of the reports for corporate civility, it is easier
written off by leaders (and some compliance officers) as for them to see themselves in
nuisance reports or the “my boss is mean to me issues,”
opposition to the organization when
are often the early warning signs that something is
culturally “off” in a particular location or department. things go wrong. This creates an
Addressing the root cause of trends in this area can increased appetite for legal action
avoid other and more serious violations. Reducing the against the organization.
volume of these cases will also give these departments
meaningful time and resources back to focus
proactively on building and sustaining a culture
Define & Commit to Core Values
of integrity and respect.
Define the organization’s core values and then have
Second, interpersonal issues come with a significant unwavering commitment to those values. For these values
amount of emotional weight. How these cases are to have credibility, people at all levels of the organization
handled will create either positive or negative emotional need to be held accountable equally. This is the only
ripples through the organization. way it will work. Employees are always watching who is
rewarded and the behaviors these individuals exhibit. If
Third, just the processing of claims of harassment, the screaming jerks get the promotions and raises, then
discrimination and bullying come with a price tag for this is the type of behavior the organization embraces
the organization. As my colleague Scott Nelson stated and it will become the norm. Everybody knows who the
in his piece, The Era of the Jerk Manager Is Over, “Even offenders are and the level of organizational cynicism is
if the employee’s claim is legally baseless, it can be directly related to the accepted behaviors.
expensive for an organization to prove that. A defense
attorney might be confident in a win, but it can cost the In support of core values, I recently had the pleasure
organization a lot of money to get there.” of hearing Erica Javellana – Speaker of the House for
Zappos – discuss the company’s 10 core values at NAVEX
When employees do not see themselves as personally Global’s 2018 Ethics & Compliance Virtual Conference.
accountable for corporate civility, it is easier for them to Most interesting was the company’s specific commitment
see themselves in opposition to the organization when to hiring and firing on these values.
things go wrong. This creates an increased appetite for
legal action against the organization. For instance, if someone is flown into town for an
interview, meets performance expectation during the
interview, however is disrespectful to the driver taking
Key Steps for Organizations to Take
them back to the airport – that behavior is weighted
Management and leadership must set the expectations just as heavily as their work experience and professional
for acceptable behavior in the workplace and be qualifications. To be more accurate – respectful behavior
responsible for ensuring these traits are owned by each is a requisite professional qualification.
employee at every level of the organization. It is time
to raise the bar so that civil treatment in the workplace
becomes a non-negotiable for continued employment
in all organizations. Following are some key steps for
organizations to take.
8
Provide Integrity & Civility Training for All Managers Be Present – Professionally, Personally, Emotionally,
& Supervisors Mentally, Physically
Managers – senior, mid-level and junior – are essential Finally, civility only exists in the interaction between two
to instilling these values into every faction of the or more people. These interactions are being threatened
organization. Managers need to be trained on how by the rampant dependency on nonessential tech in
to have hard and critical conversations in a respectful the workplace. Nonessential meaning, the checking
way with those they manage. The entire org chart of of phones at the beginning of meetings instead of
supervisors must also be well aware of not only their exchanging pleasantries with colleagues; the instant
personal ethics, but how those ethics are interpreted by messages instead of desk visits; the emails instead of
employees. Every corporate leader needs to talk the talk phone calls.
and walk the walk.
We all know that it is not respectful to multitask during
a conversation, yet this behavior is now commonly
360-Degree View of Managers
accepted. More and more, we – everyone from
We all know people who are very good at “managing up”
management to frontline employees – are seeing
but not so good when it comes to respectful interactions
coworkers as a part of the corporate architecture
with peers or subordinates. One of the most effective
rather than human beings that share a world outside
ways for an organization to learn about uncivil or bullying
the demands of the workplace. Successful leaders
behavior is to provide a safe environment for employees
recognize they are managing people and that respectful
at all levels of the manager’s orbit to provide feedback.
relationships between people are critical
This is best achieved through 360-degree reviews that
to organizational success.
showcase the full spectrum of behaviors. Incorporating
the ability for anonymous reviews from subordinates is If we can move toward re-humanizing business, people
key for honesty and accuracy of evaluations. will again begin to see themselves as responsible for
values like civility, integrity and respect and the cost of
incivility to the workplace will decline.
About the Author
Carrie Penman, Chief Compliance Officer & SVP, NAVEX Global

Carrie oversees NAVEX Global’s internal ethics and compliance activities employing many of
the best practices that we recommend to our customers. In 2017, Carrie received the Ethics
& Compliance Initiative (ECI) Carol R. Marshall Award for Innovation in Corporate Ethics
for an extensive career contributing to the advancement of the ethics and compliance field
worldwide. Prior to joining NAVEX Global, she served four years as deputy director of the
Ethics and Compliance Officer Association (ECOA). Carrie was one of the earliest ethics
officers in America. She is a scientist who developed and directed the first corporate-wide
global ethics program at Westinghouse Electric Corporation.
9
3. GDPR Enforcement & Regulation
May Be Slow, But It’s Coming
By: Shon Ramey & Jessica Wilburn to be accessible to many staffers who did not need this
level of access to perform their role. More specifically –
Well into the first full year of the EU’s General Data almost 1,000 employees had the data access rights of
Protection Regulation and the global compliance medical doctors, while the hospital only had around 300
community is only just starting to see signs of doctors on staff. This was a clear flaw in privacy by design
enforcement. While May 25, 2018 represented a drop- and proves that violations of the principles relating to
dead date that organizations scrambled toward for processing of personal data will be taken seriously
GDPR compliance, it didn’t hold the same urgency by regulators.
for regulators. That is likely to change in 2019.
The amount of the fine (nominal for an organization of
Despite the two years leading up to GDPR’s go-live its size), and the lack of an external data breach, may
date, regulators in some jurisdictions just weren’t ready indicate that GDPR enforcement will be less reactively
when the time arrived. This has delayed the flood of punitive and more proactively preventive. We must
enforcement action we were all holding our collective remember that the regulation is ultimately committed
breath for. Things are just now starting to warm up with to protecting individuals – not necessarily data. Just
fines and cease-processing enforcements trickling in. because an organization may feel it has heightened
immunity against breaches, if its personally identifiable
We can’t let the lack of immediate enforcement lull us information (PII) hygiene is weak, it is still exposed.
into believing that this will be the norm. Instead, we
should look at the intensity of complaint reporting since If we could speculate a bit, we think all of the predictions
May 25. In just the first 26 days after GDPR went into GDPR forecasters made in early 2018 may still be accurate
effect, the United Kingdom alone received 1,124 GDPR – they will just begin to transpire in 2019. Consider this
violation complaints. In Ireland, there were 547 data from Christin McMeley, CIPP/US formerly of Davis Wright
breach notifications and 386 complaints in the first 32 Tremaine LLP:
days. France received 426 complaints in just 24 days.
When regulators get up to capacity, we may see this “GDPR enforcement will be similar to FTC enforcement
intensity mirrored in enforcement. in the U.S. in the sense that DPAs [Data Protection
Authorities] will go after companies with clear
Although we haven’t learned much from the volume of violations so they can (1) levy maximum fines that serve
enforcement, we are getting some insight from the nature as a deterrent and (2) build a body of case law that will
of enforcement. Take for example Portugal’s national serve as its own kind of guidance. I don’t think the first
privacy regulator’s, the Comissão Nacional de Protecção enforcement actions will involve big tech, because they
de Dados (CNPD), €400,000 fine of a major hospital for will fight back, prolonging resolution – plus a midsize
violating the GDPR. Interestingly, this fine didn’t even company reinforces the FTC approach that it could be
involve an external data breach. It was an infringement anyone at any time.”
of integrity and confidentiality demonstrated by allowing
excessive amounts of sensitive patient data
11
11
This is all still very prescient. In addition, we should
anticipate the heat to really turn up when EU
regulators bring a major enforcement action
against a U.S.-based company.

While we await more guidance and explanation to help
bring clarity to both the law and best practices, there are
several steps that compliance officers should be taking.
Know Events that Start the Clock

GDPR identifies events that require immediate action
by organizations. The key here is not just knowing when
action is required, but also being prepared to complete
the necessary action within the allotted timeframe.
For instance, in the case of a personal data breach,
companies in the role of the data controller have a
72-hour window from the time of discovery to the time
of disclosure. Employees who handle data must be
properly trained and escalation policies need to be in
place well before a breach to ensure this timeline is met.
More common is the 30-day window following a DSAR
(Data Subject Access Request). Once a data subject – an
individual – requests their data, an organization may be
required to deliver that data within 30 days. Before a
request ever comes in, companies should have all their
PII mapped, organized and easily accessible on demand.
Evolve Your Data Management Sophistication

At first, GDPR signaled better data management. Now,
as privacy efforts mature, we are seeing that better data
management starts with a complete understanding of
the type and location of the data organizations gather.
Organizations need to ask themselves:
»» Are outside vendors processing personal information

you collect? Are you processing theirs? Are there
sub-processers?
»» How is data destroyed, and are your vendors

following the same procedures?
12
12
»» Which cloud systems are you using and what California in 2020. Smart companies will work to meet the
information is flowing to them? most stringent laws now. Building in privacy by design
standards from the start will be much easier and cheaper
»» How good are your data security measures? Do your
than retrofitting programs down the road.
vendors meet the same standards?
We have talked a lot about GDPR in 2018 and will
Implement Data Governance Now, Even if GDPR continue to do so in 2019. But it should be understood
Doesn’t Apply to You that GDPR compliance is not insurmountable and,

therefore, excusable. GDPR compliance and data privacy
All organizations, even those with business practices that
are becoming table stakes. It is not something that will
GDPR does not apply to, should start ensuring “privacy
likely drive new business for your organization but can
by design” is embedded into everything they do. This
definitely lead to the loss of business. So whether or not
is especially true for technology-based organizations.
a GDPR enforcement wave comes, it is still essential to
Heightened data privacy standards are only expanding.
get your data-privacy house in order.
Consider the Consumer Privacy Act going into effect in
About the Authors
Shon Ramey, General Counsel, NAVEX Global

Shon has focused his legal career on corporate law and regulatory and compliance
matters. During his more than 25 years of practicing law, Shon has managed corporate law
departments and counseled multinational corporations on transactional and compliance
matters. As NAVEX Global’s general counsel, he is responsible for the legal department and
provides direction and oversight to the human resources and global privacy functions.
Jessica Wilburn, Data Privacy Officer & Senior Counsel, CIPP/US, CIPP/E
As Data Privacy Officer & Senior Counsel, Jessica leads data privacy for NAVEX Global,
advising on compliance across all aspects of global privacy law and regulations. She has been
with the organization for over four years, initially focusing on the negotiation of Software-as-
a-Service (SaaS) agreements and data transfer and processing agreements. Jessica spent the
majority of 2017 in our London office, working with individuals from around the globe on the
impact of global data privacy laws.
13
13
4. Groundbreaking Evidence on the ROI of
Compliance Program Hotline Reporting
By: Matt Kelly correlates to better business performance – to draw

the roadmap for how to run, and improve, your
Perhaps some of 2018’s biggest ethics and compliance compliance program.
news came in November, when researchers at George
Washington University (GWU) and the University of Utah So that was the big breakthrough for 2018. What are the
confirmed something most compliance professionals implications for 2019? There are three steps organizations
already suspected: a corporate culture of strong internal should take.
reporting correlates to better business outcomes.
Specifically, the researchers found that businesses with

strong internal reporting activity also experienced fewer
Generate the Raw Material for Internal Reporting
material lawsuits, lower litigation settlement costs, fewer
whistleblower complaints to outside regulators, less If you want to generate more internal reporting activity,
potential for earnings management, and even higher employees need to generate the raw material: the reports
return on assets. themselves. Managers’ review and handling of reports is
critical, but none of it matters if employees don’t speak
Equally important were two things the researchers up in the first place.
didn’t find. First, they found no “negative correlation”
to anything. That is, they found no bad outcome that And the most precarious moment for employees – the
corresponded to higher internal reporting. Second, they moment most urgent for ethics and compliance officers
found no point of diminishing returns – some level of to catch – is when employees aren’t speaking up about
internal reporting activity, above which all those good misconduct because they don’t know whether they
outcomes begin to recede. There was no such point. are doing something wrong. This is where ethics and
More reporting always correlated to better performance compliance training is key. Compliance training efforts
on the business outcomes mentioned above. should therefore define what “something wrong” actually
is – to help employees recognize the characteristics that
On those grounds alone, the compliance community make a thing “wrong.”
could give itself high-fives all around. Now we know
that internal reporting is a crucial business metric, and Don’t Sacrifice High Growth; Support It
that boards should have no reason to fear high levels of
Accelerated-growth companies, especially startups, and
internal reporting in their organization.
especially those in tech, focus foremost on scaling up
the business. They hire, acquire and expand as rapidly as
On the contrary, boards should be demanding to know
their funding allows. In contrast, established firms focus
internal reporting levels over time and asking about how
on driving sustainable growth and improving efficiency.
the ethics and compliance function is working to push
reporting levels higher. Compliance officers themselves
can use that basic fact – more internal reporting
15
15
These findings about internal reporting have significant Those are, fundamentally, the same thing: the collection
implications for high-growth companies. Many of them of practices, customs, and attitudes at an organization
have no established culture beyond moving fast and that affect how employees behave. We all understand
disrupting things. They also often have underdeveloped those concepts at a gut level, and certainly know a good
internal reporting policies and procedures, if they have or bad corporate culture when we see it. But how do
any at all. How can organizations that fluid and dynamic you quantify that culture to validate your progress at
apply the lessons of this research in a useful way? improving it?
Companies should embrace strong internal reporting

from their very beginning – but that’s not an easy sell with
Higher internal reporting shows a
many startups, especially if they’re under fierce pressure
to grow quickly. On the other hand, we’ve all seen workforce more eager to talk about
more than one technology giant suffer from numerous the organization’s problems, and
misconduct scandals because the company hadn’t
that’s good. That’s what everyone –
established a strong ethical culture built on a foundation
of employees encouraged to talk about problems. from auditor to regulator to board
to CEO to compliance officer –
Make the Benefits of Internal Reporting should want to achieve.
Compliance Canon
By “canon” I mean the body of rules and assumptions
the whole compliance community – compliance officers,
This new research on internal reporting starts to answer
regulators, board directors, and all the rest – take for
that question. Compliance officers might need to pull any
granted. For example, everyone knows compliance
number of levers to improve their specific organization’s
officers should have autonomy. Everyone knows due
culture, but in theory, higher internal reporting is what
diligence should be risk-based.
you should expect to see. Higher internal reporting
shows a workforce more eager to talk about the
So how does this finding, that more internal reporting is
organization’s problems, and that’s good. That’s what
always a good thing, become canon?
everyone – from auditor to regulator to board to CEO
to compliance officer – should want to achieve.
Regulators, for instance, talk constantly about wanting
to see a culture of compliance. External auditors dwell
Let’s see if we can get closer to that in 2019.
on the importance of a strong control environment.
About the Author
Matt Kelly, CEO & Editor, Radical Compliance

Matt Kelly was editor of Compliance Week from 2006-2015. Prior to his role at Compliance
Week, he was a reporter and contributor on corporate compliance and technology issues for
magazines such as Time, Boston Business Journal, eWeek, and numerous other publications.
Matt now maintains his own blog, RadicalCompliance.com, and writes and speaks frequently
on all things GRC.
16
16
5. Blurred Lines Between Protected
Activity & Corporate Governance
By: Gregory Keating argued that HR employees cannot engage in protected

activity, and subsequently fired the rep.
Can your chief compliance officer be a whistleblower?
How about your in-house legal counsel or HR The court disagreed, ruling that the individual was
representative? More specifically, is someone a protected from retaliation because her superiors ignored
whistleblower when they raise concerns that are a her repeated complaints. The court did acknowledge
part of their defined job responsibilities? Similarly, that generally HR employees do not engage in protected
are the activities they engage in each day protected activity when they encourage others to pursue claims
within the legal definition that safeguards externally. However, given the unique circumstances of
whistleblowing employees? this case, they made an exception. A blistering dissent
labeled the decision “a land mine that we have now laid
In 2018, we’ve seen a handful of cases on this issue, and for employers.”
received court rulings that stand divided on the exact
line between whistleblowing and protected activity. Our second example comes from the United States Court
Some believe that you never step out of your role as of Appeals for the Third Circuit. Here, a former university
an HR or compliance professional and therefore never vice president and budget officer was asked to report a
engage in protected activity. Other rulings indicate budget “swing” showing a multimillion dollar deficit when
protected activity is entirely circumstantial. In either the books actually indicated a multimillion dollar surplus.
case, compliance programs need to be attuned to this The former VP made several efforts to compel her
trend, and ensure they know the signs of a potential management to report accurately, including presenting
whistleblower, especially when within one of their her findings to the university’s budget committee, but to
corporate governance departments. no avail. The university would later allow her employment
contract to expire, claiming the employee was not the
right “cultural fit.” This led to a retaliation claim from the
Courts Divided on Protected Activity
former VP based on her right to free speech under the
Let’s take a look at two cases that better represent First Amendment.
this debate.
In this case, the court ruled in the defendant’s favor
Our first example comes in the form of retaliation saying that her right to free speech did not apply under
protection granted by the United States Court of Appeals her circumstances. Because her budgetary concerns
for the Eleventh Circuit. Here, an HR representative were part of her job, her report was made not as a
at a major manufacturer filed an unlawful termination private citizen, but as a public employee and
claim against her company after repeatedly complaining therefore unprotected.
about unfair treatment of women and minorities in
the workplace. While in her HR role, the defendant These opposing rulings on fairly similar cases leave a big
recommended another employee to file suit as well, after question mark for organizations. There are, however, a
that employee came to her for advice. The company few things every organization should be doing as we wait
for more clarity on this issue.
18
18
Key Steps for Organizations to Take All whistleblower complaints are
best managed when organizations
Err on the Side of Complaints
have multiple channels in place for
If something sounds like a whistleblower compliant,
and smells like a whistleblower complaint, there is a
employees to report problems.
good chance it is, even if the reporter sits in your HR, Accessible and well-communicated
compliance, risk or legal department. Organizations internal reporting mechanisms help
should apply additional sensitivity to employees who are
all employees feel comfortable
tasked with remediating problems in the company and
repeatedly complain that a specific issue is not being bringing up issues.
resolved. Furthermore, employers should consult counsel
before administering any adverse action against such an
individual as this can engender a claim of retaliation. are receiving a formal complaint that needs to
be documented and investigated.
Take Every Concern Seriously
Any concern that arises through an investigation should Prioritize Awareness
be taken seriously. This should be standard even when Effective policies are essential to ensuring that all
the protected activity of the reporter is ambiguous. employees understand what is expected of them as
Ensure every investigation follows preplanned protocols well as their reporting options. Having the right policies
and is well documented. When an unexpected complaint is just the first step. Organizations need effective
occurs, following standardized procedures is best for communication campaigns that make all employees
swift internal resolution and strong external defensibility. aware of the policies, as well as the organization’s
commitment to supporting a speak-up culture.
Offer Strong Reporting Mechanisms
The characteristics of whistleblowing and whistleblowers
All whistleblower complaints are best managed when
are ever-changing, but the importance of cultivating
organizations have multiple channels in place for
a strong culture of speaking up as well as listening up
employees to report problems. Accessible and well-
will remain constant. That is how we create resilient
communicated internal reporting mechanisms help all
workplace cultures that protect your people, reputation
employees feel comfortable bringing up issues. Incident
and bottom line.
reporting channels also let organizations know when they
About the Author
Gregory Keating, Partner, Choate, Hall & Stewart

Greg is chair of Choate’s Labor Employment & Benefits and Whistleblower Defense Groups.
He was nominated to serve as a management representative on the Whistleblower Protection
Advisory Committee in 2012 by U.S. Senators Michael Enzi and Johnny Isakson and was
later appointed by Hilda Solis, U.S. Secretary of Labor. Greg is recognized as a national
authority in the area of whistleblowing and retaliation. He litigates and investigates a wide
range of whistleblower cases and has extensive experience handling matters arising under
the Sarbanes-Oxley Act, the Dodd-Frank Act, the False Claims Act and the Foreign Corrupt
Practices Act.
19
19
2019 will have its ups and downs.
We’re here to help smooth out the ride.
Whether you need to maximize compliance efforts with automated solutions or ensure core values are
embedded throughout your organization, NAVEX Global will help you achieve the full ROI of an ethical
workplace with a platform of purpose-built technology.
Contact us at www.navexglobal.com/contact
6. Incentivizing Ethics: What Does the Future
Hold for Paying for Ethical Behavior?
By: Ed Petry Cons of Incentivizing Ethical Behavior

Over the years, organizations have tried many different »» As a member of Trust Across America’s Trust Council
approaches to incentivize ethics with decidedly mixed noted: “There’s something prima facie anti-ethical
results. In 2018, at least one company has received about paying people money to behave ethically. If
considerable attention for its program to grade you have to be paid to be ethical, you’re not.”
employees on their ethical behavior, which linked to
»» It may send the wrong message: Acting ethically is an
bonus eligibility. In the coming year, we expect other
“extra,” and it’s OK to act unethically, you just won’t
organizations to follow this lead and create their own
receive a bonus.
ethics incentive systems.
»» It rewards people for doing what should be a basic
Even though this topic is currently getting a lot of condition of employment.
exposure, it is not new. But few ethics and compliance
topics have been the subject of more heated debate. To »» From a more legal point of view, there are concerns
understand more about the price of paying for ethical that a negative evaluation can be discovered and
behavior, let’s review some pros and cons. later used against the company in litigation. For
instance, if a person with “substantial authority”
receives a poor ethics performance review and is
Pros of Incentivizing Ethical Behavior subsequently involved in additional wrongdoing,
»» Incentivizing ethics seems like common sense. As the company may need to prove that it properly
Joe Murphy argued, incentives are used throughout addressed the initial negative evaluation. Without
our business operations to drive behavior. Ignoring sufficient documentation, it could indicate that the
incentives when it comes to ethics is ignoring reality, company’s compliance program is ineffective.
and it neglects an opportunity to make the most of »» Perhaps most importantly, ethics performance
an effective management tool. and bonus plans can create a disincentive to raise
»» Incentives can be an excellent way to send a strong problems. We’ve seen this occur in safety programs.
signal that ethics and compliance are important to an Employees may be unwilling to raise concerns if
employee’s success. doing so may tarnish the team’s or the manager’s
record. Any ethics incentive program needs to be
»» If it accomplishes nothing else, the creation of an structured carefully to avoid this.
ethics performance system is bound to stimulate
discussion about ethics, values and compliance and
increase awareness among employees and others.
21
21
Measure Value, not Tasks
As you consider if/how you will incentivize ethics, there is
a key question to answer: Which standard will you use to
assess ethics?
Most managers dread having to grade employees on

subjective values-based criteria such as “living the
standards” or “acting in accordance with our core
values.” While this approach may work well for identifying
behavior at the extremes, it is very difficult to apply to
the vast majority of employees in any meaningful and
actionable way. In addition, values-based assessments
often result in inconsistencies, and over time can lead to
“grade inflation.” It’s far easier for managers to hand out
“above-average scores” rather than explaining why an
employee “needs improvement” or was only average on
“living the value of respect.”
If a values-based approach is taken, managers should

be given guidance and training on how to make
evaluations. Findings should be documented, and the tasks. While compliance tasks are certainly important,
company should have an established process in place for an overemphasis on check-the-box tasks runs
consistently addressing negative assessments. counter to efforts to position ethics in terms of
values and culture.
For these reasons, most organizations instead opt for
systems that use objective and data-driven criteria. »» Instead of encouraging employees to always act in
As Tom Fox noted, “the simplest way to incentivize a way that is consistent with the company’s values, it
employees is to create metrics that they readily creates a subset of tasks that “count” and devalues
understand and are achievable in the context of the other actions that don’t.
compliance program,” such as completing training. Other »» Performance targets of any type – including ethics
similar goals include code certifications, engagement targets – can create pressures to cut corners and
survey results and cooperation with specific compliance aggressively pursue goals.
office requirements.
The last point above creates the ironic situation

While this has been the preferred approach, it is not
where ethics goals can promote unethical behavior.
without its problems.
Whenever a performance target is quantified, there is
an incentive to manipulate the process to attain the
Understanding the Fine Line desired number. Engagement surveys are especially
Between Incentivizing Ethics prone to management manipulation and efforts to
steer employees to the desired answers. Employees
& Gaming the System
themselves, even without coaching, can skew survey
»» Objective-based approaches can contribute to the results to avoid further attention from the compliance
sense that ethics is all about completing compliance office or to ensure that their boss receives his or her
22
22
bonus in the hopes that it will improve their work program or it can identify consistent behavior over
environment. These actions not only undermine the time. Non-monetary recognition can take a variety of
effectiveness of the survey but also artificially inflate forms, including:
the apparent ethics performance of the manager or
employee group. »» Featuring employees or teams on the company
website or newsletter
Key Steps for Organizations to Take »» Acknowledgement from the CEO or other leaders
Review Existing Corporate Incentive Plans »» A company donation to a charity of the employee’s
choosing in the employee’s name
Before creating new ethics-based incentive programs,
an immediate impact can be made by reviewing existing »» Perks such as time off or a preferred parking space
incentive plans. Ethics officers should make it a priority
to critically examine the role incentives are currently
playing in driving unethical conduct throughout their Understand the Power of Promotions
organization. This may include incentives tied to sales
Whether or not you consider building an ethics incentive
and revenue targets. For example, are they structured to
plan in 2019, remember that by far the most important
promote excessively risky and aggressive sales methods?
and effective ethics incentives are promotions. Decisions
Do managers exert excessive performance pressure?
about promotions truly drive the culture. Employees
take note of who gets promoted. If your organization
Consider Alternatives to Monetary Incentives promotes top performers who are known to act contrary
There are many ways to incentivize performance, and to the company’s values, or otherwise undermine ethics
they should be considered in addition to (or instead and compliance, that message trumps all others. And
of) monetary performance awards. Recognition can be on the flip side, if it is clear that ethics and values are
based on courageous or exceptional behavior that aligns a key component of who advances, that too sends a
with the goals of the company’s ethics and compliance clear message.
About the Author
Ed Petry, Senior Advisor, NAVEX Global

Ed joined NAVEX Global in 2004 after almost 10 years as executive director of the Ethics
and Compliance Officer Association (ECOA). Ed served on the Advisory Panel to the U.S.
Sentencing Commission, which was responsible for the 2004 revisions. Earlier in his career
he was a tenured professor of ethics and a prolific author and researcher. At NAVEX Global,
Ed applies his more than 25 years of experience to help companies assess their ethics and
compliance programs. He has also written many of the most admired codes of conduct for
companies worldwide across nearly every industry.
23
23
7. Third-Party Risk is NOT Just
About FCPA Anymore
By: Kristy Grant-Hart Specially Designated Nationals and Blocked Persons List,
but instead because the company’s former subsidiary
Prior to 2019, the rules for dealing with third parties were allegedly sent goods to a blocked Russian entity. What
simple: perform due diligence, implement sanctions contributed to this failure? Cobham Holdings’ third-party
screening software, use reputable cloud providers, and search software failed to raise red flags that would have
ensure that everybody stays out of politics. But in 2019 caught the compliance issue before it was a problem.
and beyond, the risk of third-party relationships is no
longer limited to the wrath of the Department of Justice Regulatory agencies such as OFAC are upping their game
and Serious Fraud Office. Reputational risk has gone up when it comes to catching violators. Companies have
exponentially with respect to third-party behavior. long relied on automatic sanctions screening software.
In most cases, they have to. Multinationals may have tens
Aggressive new sanctions actions by the Office of of thousands of third parties, especially if they cater to
Foreign Assets Control (OFAC) have raised the bar, and members of the public that need to be screened before
the fallout from data breaches post-European General services can be provided. But the Cobham Holdings’
Data Protection Regulation (GDPR) means that third prosecution is a reminder that software alone cannot
parties holding customer data have more power than be the answer. Consistent review of protocol designed
ever to topple the public’s trust in a company. and implemented by humans is required to reduce
risk and to provide a barrier to what is often a strict
Third-party risk has broadened in three substantial ways: liability offense.
1. Expanded risk of prosecution for sanctions violations

The Rising Reputational Risk
2. Increased reputational risk of association with of Association
controversial companies and CEOs
For decades, most companies have tried to steer well
3. Heightened risk of a data breach exposure away from politics – at least publicly. But the rise of social
media, shareholder activism, and the 24-hour news cycle
The Rising Risk of Working with have led to pressure for companies to react to politics
as never before. That reaction can have a ripple effect,
Sanctioned Parties
especially on other companies closely linked to the target
In late November 2018, shockwaves went through the of such activism.
compliance community when Cobham Holdings Inc.
reached a settlement with OFAC for $90,000 because In 2018, numerous companies all asked for their campaign
of a sanctions violation. The settlement was the second contributions back after a candidate for U.S. Senate
recent OFAC action relying on the “50 percent rule.” In made controversial comments caught on tape. Also in
Cobham Holdings’ case, the underlying violation was 2018, several companies announced that they would
not triggered because the person or entity was on the stop selling the AR-15 firearm after shootings at a
25
25
Florida school. These days, companies are taking a Key Steps for an Organization to Take
public stance on controversial issues – and that creates
a whole new kind of reputational risk for the entities Implement a Sanction Screening Protocol that
working with them. Involves People
While your sanctions screening software is a critical
Publicly announced decisions that are made in response
safeguard tool, a system needs to be in place to further
to controversy will frequently create passionate,
review problematic or potentially problematic third
polarized responses. Statements of internal policy,
parties. Check the settings on your software. Is it set
such as companies announcing they will no longer
to allow you to review fuzzy matches? Do you have an
reimburse meat-based meal expenses, has created
escalation protocol that allows the compliance team to
media storms with unpredictable outcomes. Even our
review potential matches? Does the compliance team
blue-chip companies are not immune to the reputational
perform a regular spot check to ensure the software is
dismantling that results from catastrophic culture failures.
working as it should? Have you separated third parties
or customers from high-risk countries (those currently
When it comes to reputational risk from third parties,
under sanctions) for deeper-dive screening than those
not all relationships are created equal. For instance, if
in lower-risk countries?
a company uses a bank that incurs a billion-dollar fine,
the controversy at the bank will likely have no effect on
Review your protocol to ensure you’ve got a system in
the company whatsoever. However, if a company has a
place that works. A good system will utilize software
joint venture with a third party that makes an unpopular
and humans to ensure compliance.
proclamation or has a CEO scandal, the negative halo
effect can be extremely destructive.
The Rising Risk of Third Parties

Holding Personal Data
Perhaps the most spoken phrase this year in compliance
and privacy departments was, “Fines can go up to 4
percent of global turnover.” Although the big GDPR
deadline passed in May 2018, enforcement is just starting.
Indeed, many European data protection authorities are
beginning to show their teeth, with prosecutions and
huge fines taking hold.
It’s not just Europe where data breaches create cause

for alarm. Nearly every state in the U.S has some sort
of data breach notification law, and California’s new
Consumer Privacy Act will up the ante further for
compliance requirements.
Regardless of regulatory jurisdiction, your customers

don’t care if your third party was careless with their
data. If you have a data breach, the customer will be
angry with your company. Your company will also likely
be the one providing solutions. Some solutions, such
as credit monitoring, can be very expensive if extended
to thousands of people.
26
26
Third-party risk must be managed. Check Your Contracts with Companies that Have
Personal Data
By expanding your viewpoint from
If you target or sell to Europeans, or if you have a
“bribery risk” to a holistic review of
European presence, you probably prepared for GDPR.
each third party, you’ll be able to Now is the time to make sure those third-party processor
protect your company in all of the contracts have the required terms from Article 28.
ways required in 2019 and beyond.

Whether your company is in Europe or not, Article 28
terms can be very useful for all of your contracts with third
parties that process personal data on your company’s
Have a Back-Up Plan for Critical Third Parties behalf. Make sure you include the requirements that
Perform a risk assessment to determine which of your key the company notifies you without delay if a data breach
suppliers, joint venture partners, and other high-profile occurs. Put in safeguards requiring minimum levels of
relationships are most exposed to reputational risk. For data security. Add in the requirement to delete or amend
business-critical third parties, try to find a back-up that data that is no longer active or accurate.
can be implemented should a political statement or

Third-party risk must be managed. By expanding your
other scandal threaten the company. Forward thinking
viewpoint from “bribery risk” to a holistic review of each
can protect your company from being drowned by
third party, you’ll be able to protect your company in all
another company’s bad actions or ill-thought-out
of the ways required in 2019 and beyond.
political statement.
About the Author
Kristy Grant-Hart, Author and CEO, Spark Compliance Consulting

Kristy Grant-Hart is an expert at transforming compliance departments into in-demand
business assets. She’s the author of the book “How to be a Wildly Effective Compliance
Officer” and CEO of Spark Compliance Consulting, a London and Los Angeles-based
consulting group. She is also an adjunct professor at Delaware Law School, Widener
University, teaching Global Compliance and Ethics. Before launching Spark Compliance,
Ms. Grant-Hart was the Chief Compliance Officer at United International Pictures, the joint
distribution company for Paramount Pictures and Universal Pictures in 65+ countries.
27
27
8. Moving from Speculative to Realistic
Conversations on Artificial Intelligence
By: David Banks Instead of planning for the entirety of the singularity,
reframing the conversation around AI can help
Many conferences, white papers and webinars in 2018 compliance professionals stay focused on the things
was dedicated to artificial intelligence (AI). Futurists, they can control.
technologists, and innovators on the bleeding edge
of technology have shared the seismic changes to the
workplace the compliance industry should expect.
Identify the Compliance Problems AI
The shift from linear growth to exponential growth Can Solve
and the elimination of administration has been on the
When considering AI solutions, we first must understand
tip of every tongue.
the key characteristics of AI and then match those with
existing programmatic problems. Displaced efficiencies
At first blush, it was exciting, it was educating. Now,
just create more work. This begins with understanding
however, the lack of clear steps for implementation has
the tasks AI and similar cognitive computing technologies
created a bit of anxiety, resulting in a state of analysis
like machine learning are really good at, including:
paralysis around AI adoption. We all know we need to
get up to speed, but we don’t want to run the risk of
»» Automating manual data entry
outpacing ourselves or missing the mark on true ROI.
»» Filtering for errors or patterns
To calm any unnecessary anxieties around AI, it is
important to understand that compliance professionals »» Continual monitoring of regularly updated lists
do not need to become AI experts. We are not
»» Predictive analytics
technologists, and we shouldn’t be. Compliance
professionals are experts on corporate culture, risk
These trailheads point us down the path to several key
mitigation, and change management. It is that expertise
considerations. First, regulatory changes are always in
that we need to apply to the adoption of AI solutions.
flux. AI that can keep us informed of real-time updates
is key here. Furthermore, many changes required
by regulatory updates often require a prescribed
modification to a strand of text, policy or training
When considering AI solutions, across the organization. Automating regulatory update
we first must understand the key notifications and the necessary actions in response is
characteristics of AI and then match administrative overhead AI could effectively streamline.
those with existing programmatic Similar to the moving target of regulatory compliance,
problems. Displaced efficiencies third-party risk requires continuous monitoring of third-
just create more work. party partners as well as sanctions screenings. The
ultimate strategy behind engaging new partners will
29
29
always be up to third-party risk management leaders, but
automated screening and due diligence can be effective
information catalysts for enhancing or revising strategies
as needed.
Pattern detection is also a key perk of AI. For compliance,

this can be instrumental for identifying employee
behavior trends. Hotline reporting data can be latently
monitored to create key indicators of when and where
certain behaviors are taking place. This information
can then trigger the appropriate changes to policy and
procedure management and compliance training rollouts.
Adopt Technology while Remaining an

Employee Advocate
Because of the robustness of AI solutions, errors (much
like the benefits) can proliferate exponentially and
instantly. The most noticeable concern for compliance is
currently unconscious bias – that of the engineers who
developed the technology, the program administrators
integrating the technology, or data analysts processing
the patterns and results the technology returns.
Many organizations have employee demographics that

are disproportionately something – one characteristic
or another dominates over others. Fed into artificial
intelligence software, these characteristics become the
norm and, when left unchecked, can return false positives
for abnormalities. For instance, an AI program might
determine that on a given team, in a given year, female
employees used more paid time off (PTO) than their male
counterparts. Fed into another AI program for hiring,
this data teaches the AI to prioritize male applicants.
What the software misses is that on that given team, in
that given year, two female employees used their PTO to
supplement their maternity leave. The next year, this may
be mirrored by the team’s paternity leave.
This is not an error with the technology. It is an oversight

in the data the technology is being fed. Compliance
professionals have the expertise to understand the
human side of the workplace, and therefore need to stay
vigilant in selecting the right AI, and scrupulous on how
that technology is implemented.
30
30
Key Steps for Organizations to Take Strive for Digital Harmony
New technology is rarely successful when bolted on
Create a Framework for Evaluating the ROI of to existing tech stacks. Instead, AI solutions should
Your Solution integrate fully into existing compliance and enterprise-
The price tags for AI solutions are at a premium. Before wide solutions. This creates ROI that extends further
making your purchase, you must be certain the cost than just the compliance department. You especially do
savings will ultimately outweigh the investment. Cost not want your new technology to create challenges or
is currently high because many artificial intelligence inefficiencies for other teams.
solutions need to be customized for each company. This
comes with pilot, implementation and improvement Make Sure “Garbage” Cannot Describe Any of
phrases, each requiring significant time and budget to Your Data
accomplish. To confirm you are purchasing the right
“Garbage in, garbage out,” is the pivotal phrase when
solution, and to have a clear roadmap for measuring
it comes to AI. For artificial intelligence to truly act
success, develop an evaluation framework. In the
intelligently and for machine learning to actually learn,
simplest of frameworks, AI solutions should check three
it needs the most accurate raw data. When implementing
boxes: it’s reliable; it’s real-time; and it creates a single
a new AI solution, do extensive due diligence on the
source of truth. Ask your potential vendors how they can
data being processed as well as monitor the results
deliver on these requirements.
to ensure inaccuracies are in no way driving your
business decisions.
About the Author
David Banks, Editor in Chief, Ethics & Compliance Matters Blog

David is the editor in chief of NAVEX Global’s blog, Ethics & Compliance Matters™,
a publication that has received JD Supra’s 2017 and 2018 Readers Choice Award.
A business writer and editor, David works with compliance practitioners to develop
educational, informative and inspirational content that provides practical and proven
instruction for the field.
31
31
9. #MeToo: From Hashtag to
Movement to New Normal
By: Ingrid Fredeen Creating Cultures of Understanding

Even after more than a year with the #MeToo Movement, Cultures of understanding ensure that responses to
complaint numbers remain strong. Preliminary numbers sexual harassment are appropriate and rehabilitating, not
for 2018 show an increase in sexual harassment exacerbating. Unfortunately, we are currently getting a
complaints filed with the EEOC. Employers are seeing an glimpse at the latter.
increase in complaints as well, according to the NAVEX
Global 2018 Hotline Benchmark Report. And a new Over the past year, one thing has become very clear.
survey, finds that “about a third of men said they had Victims don’t forget. And for some, the pain they suffered
done something at work within the past year that would remains raw despite the passage of time. Instead of
qualify as objectionable behavior or sexual harassment.” a response of empathy for the victims, we are seeing
discussions around whether their allegations are to be
This is not for a lack of trying. Over the past year, much believed. These discussions often ignite heated and
has shifted in the way we talk about, experience, and unproductive debates that demonstrate ignorance about
evaluate claims of sexual harassment in the workplace. the experience of being a victim.
Many powerful men have been held accountable for
their actions; Wall Street has developed “the Weinstein Along with a lack of empathy, we are seeing counter-
Clause” to protect their financial investments; and states productive responses. Men have reported changing
across the U.S. have banned non-disclosure agreements their behavior (but not in the way you would hope). Some
(NDAs) in matters of sexual harassment. men (all ages, professions and backgrounds) are simply
choosing to avoid women. To “protect” themselves, they
#MeToo has demanded action, and we are seeing action. have rules about not eating with women, or meeting
However, much of this action is fueled by the desire with them alone in a conference room, or mentoring
to mitigate corporate reputational damage caused by them. This practice of isolating women and cutting off
harassment. These reactionary efforts can be seen as their access to social and career growth opportunities is
window dressing, and not doing enough to achieve likely damaging your organization now. These reactions
real change – the change that accounts for the human indicate that employees don’t understand harassment,
side of harassment. and don’t trust that their employer does either.
Employers who are serious about addressing harassment What lessons should we learn from the reactions of our
in 2019 will need to dig deep, and work on two employees? Our workplace cultures need more care
fundamental flaws that exist in current harassment and attention. Fear (of retribution, retaliation, damage
prevention programs: lack of understanding and to career, etc.) still drive behavior and silence victims.
empathy, and a lack of transparency. These two issues Employers need to build emotional and interpersonal
form the foundation of trust in employer efforts, and human intelligence, and find ways to cultivate empathy
recent events have made clear that the foundation is to combat these fears. Absent action in 2019, fear will
shaky at best. continue to fuel culture damaging behaviors.
33
33
Transparency Is Necessary to Restore With social media, digital technology, and empowered
citizen reporting, transparency is no longer a choice, it’s
Trust in a Broken System
a necessity when managing a corporate culture. Today’s
In 2018, employees sent their employers a clear message employers have two options in a social media savvy
– that trust is broken. According to the 2018 Edelman world: Be part of the solution, or be part of the story.
Trust Barometer, trust in business to do the right thing When companies choose not to take the lead, the
took a major hit. Recent events have demonstrated to us public is now equipped to compel transparency.
that employees don’t believe that their employers will
respond properly if they bring a complaint, or that they
will be treated fairly if there is a complaint made against
them. This is likely the sentiment even if your organization
Be Prepared to Act, but not Overreact
is doing everything right because your process has, until
now, been shrouded in secrecy. Don’t let the demand for action result in kneejerk
reactions. Organizations must be prepared to react,
Compliant handling and remedial measures are under investigate, and respond properly, in ways that are
increased scrutiny. It used to be that an internal fair and just. Firing someone is not always the right
investigation was generally just that – an isolated answer, and when it is, it should be after a conclusive
investigation of a report that involved a small handful investigation. Don’t create a situation where you need to
of people, and a victim who had no idea what other backtrack because you made a hasty or unfair decision.
employees had complained about or experienced. Show those who complain and those who are accused
There was very little transparency or even expectation that the process is fair and trustworthy.
of transparency – victims were expected to trust their
employer to do what is right. NDAs previously ensured Check Your Bias at the Door
that victims did not speak about their experiences.
Ensure that your process for vetting complaints is fair
Recent events have surfaced a general public conclusion
and thorough and treats victims and those accused
that more harm than benefit has been done by the
with respect and dignity. Ask yourself if you or your
current, trust-based system. Employers have abused
investigators have a bias against victims or perpetrators
employee trust by not holding powerful perpetrators
that influences how you investigate claims. Train your
accountable for their actions and distrusting those who
investigators and managers to recognize any conscious
spoke up. Employers (who collectively did not respond
and unconscious biases they may have, and how to
adequately to the need for a change in approach) now
ensure these biases do not influence the incident
find themselves facing new legislation prohibiting the
management process.
use of NDAs at the state level and a constant stream of
very public scrutiny and coverage of their process for
Reinforce Your Culture Even if It Requires
addressing harassment allegations.
Tough Decisions
The Edelman Trust Barometer also indicates that “Respect” as a value alone does not mean anything,
employees are looking to their own organizations, and unless employees at all levels are held to a high standard
in particular their CEOs, to rebuild trust. And greater of behavior. This can require very tough decisions about
transparency will be critical. In 2019, it will be important to good employees who are nonetheless disrespectful
find the right balance between total confidentiality (often to others. It may even require terminating employees
a legal recommendation) and the need for transparency who do great things for your business, but just don’t
to build trust in your organization, your leaders, and your understand how to treat others with respect.
internal processes. Standing behind your words is what helps build a
culture of respect.
34
34
Embed the Sentiment of Your Policies through Be More Transparent
Effective Training Consider ways that your organization can share
Updating policies and procedures with language that information about your process, your efforts, and the
accurately and appropriately elevates expectations actions you have taken to address harassment. The
for employees in regard to sexual harassment is key. information you share may be a quarterly summary and
But to truly embed these values into the organization, an annual report – but at a minimum what you decide
employees, managers and leadership all need to be to share must communicate to your employees that you
properly trained. This requires anti-sexual harassment are actually taking action, and that you stand behind
training that resonates with employees, and clearly your commitment. Find that balance between too
identifies right, wrong and the gray areas in between. much detail and enough to help rebuild trust in your
values and leaders.
About the Author
Ingrid Fredeen, Vice President, Online Learning Content, NAVEX Global

Ingrid Fredeen, J.D., Vice President, Online Learning Content, has been specializing in ethics
and legal compliance training for more than 10 years. She has been the principal design and
content developer for NAVEX Global’s online training course initiatives utilizing her more
than 20 years of specialization in employment law and legal compliance. Prior to joining
NAVEX Global, Ingrid worked both as a litigator with Littler Mendelson, the world’s largest
employment law firm, and as in-house corporate counsel for General Mills, Inc. a premier
Fortune 500 food manufacturing company.
35
35
36
36
10. Old Compliance Lessons Apply
to New Compliance Trends
By: Ed Petry “because it is about thinking, and because life is not

black or white.” The game consisted of 55 mini-cases –
It’s been nearly 40 years since organizations first some having multiple correct answers. George and his
appointed ethics officers. In those early days there were team traveled the world and “played” the game with all
no guidelines or best practices to rely on; instead the 60,000 employees. Not only was it an excellent way to
first ethics officers borrowed concepts from academic highlight the importance and complexity of business
and leadership theories and drew heavily from their ethics, it allowed George to participate face-to-face with
own management experience. Innovation was a employees in spirited discussions. The game was a hit
necessity; practical solutions and low-cost and other companies created similar training resources
efficiencies were essential. that, for example, featured cartoon characters from
Dilbert and others that copied the format of popular
By the early 1990s, there were hundreds of in- TV gameshows.
house ethics officers, enough to create professional
associations, forums and conferences. Formal guidelines Today, it can be a gamble to use humor to deliver ethics
and best practices were developed and gradually messages – political correctness and regional differences
organizations fell in line, following a common approach can be hard to navigate. And yet, George’s insight that
to ethics and compliance often dictated by government games are a great way to start a conversation is being
requirements and reinforced by best practice revisited. Organizations are experimenting with training
conferences. Over the years, ethics officers – always that uses applications similar to popular online games.
prudent and risk-averse – tended to eschew Employee contests are being added to awareness
innovation for the relative safety of a standard, campaigns to generate interest. And perhaps the best
eight-step E&C program. example of a recent effort to break through the stodgy
sameness of compliance is the code of conduct from
Recently however, it’s been encouraging to see an Activision Blizzard. It’s simple, lively and makes use of
increasing number of organizations reaching back and the company’s trademark characters.
giving new life to old ideas – but with a twist. Those ideas
are being partnered with technologies that were simply
not available years ago. Here are some of the ethics and
Locally Sourced & Home-Grown
compliance trends that are coming back around. To ensure consistency, organizations often take a
top-down approach to ethics and compliance. While
Ethics Doesn’t Have to Be Dull efficient, this can ignore the important variety of
cultures and subcultures that exist even in relatively
In the mid-1980s, George Sammet, a retired Army small organizations. In the 1990s, The Friedken Group,
Lieutenant General and one of the first ethics officers, a privately held diverse business based in Texas,
wanted an engaging way to train Martin Marietta’s allowed each business group to develop its own training
employees. He developed a board game called Gray and awareness content. The corporate ethics office
Matters. “It’s called Gray Matters,” he explained, established overall goals and was available to help,
37
37
but local teams were responsible for creating training all about shaping human behavior – encouraging good
and awareness that would work best for them. Ideas were choices while keeping bad behavior in check. Behavioral
then shared corporate-wide and each year the initiatives economists, psychologists, sociologists and philosophers
becme more effective and increasingly creative. have researched and published extensively on this very
topic, and yet for years, their findings have rarely been
The Friedken Group’s approach worked because it tapped by us to improve our programs.
recognized the critical importance of tailoring content
and format to align with diverse subcultures within The earliest business ethics conferences organized by
any organization – what works in R&D may fall flat in W. Michael Hoffman at Bentley University successfully
Accounting. The approach also recognized that insights connected academics with executives, and the
and talent were not confined to the corporate staff. interaction was a major source of insight and innovation.
And, perhaps most importantly, by encouraging local Fortunately, this broad and deep approach to business
initiatives, training and awareness were far more effective ethics is now making a comeback. The Ethics and
because each local group had a stake in its development. Compliance Institute (ECI) and The Society for Ethics and
Compliance (SCCE) have recently addressed this topic
Back in the 1990s, enabling and coordinating diverse at its conferences, and the SCCE’s Adam Turteltaub has
initiatives was a daunting task. But today, the logistical often spoken on the importance of studying and applying
difficulties can be largely eliminated by using instant the work of researchers and behavioral economists
messaging and networking tools like Slack, Kapost, and including Daniel Kahneman, Dan Ariely, Max Bazerman
Trello that make it easy for employee teams to work and Ann Tenbrunsel.
together and share ideas.
The key steps to take in response to any trend in any
year should begin with a realignment with fundamental
The Fundamentals Never Go out of Style
compliance concepts. We should always remember that
Keeping up with the complexity of today’s ethics we operate in an exciting industry, doing important work;
and compliance programs and the daily demands for the work we do needs to resonate with real people; and
documentation and metrics can be all consuming for there is rarely a one-size-fits-all solution to anything.
ethics and compliance officers. But beyond checking
the boxes, it’s important to remember that when all is With those guide posts, the work we do will continue to
said and done, business ethics and compliance are really be rewarding for ourselves as well as for the organizations
and people we are charged with protecting.
About the Author
Ed Petry, Senior Advisor, NAVEX Global

Ed joined NAVEX Global in 2004 after almost 10 years as executive director of the Ethics
and Compliance Officer Association (ECOA). Ed served on the Advisory Panel to the U.S.
Sentencing Commission, which was responsible for the 2004 revisions. Earlier in his career
he was a tenured professor of ethics and a prolific author and researcher. At NAVEX Global,
Ed applies his more than 25 years of experience to help companies assess their ethics and
compliance programs. He has also written many of the most admired codes of conduct for
companies worldwide across nearly every industry.
38
38
About this Resource
The issues, concerns and opportunities found in NAVEX Global’s annual Top 10 Ethics & Compliance Trends are
generated by thought leaders who work in, report on, and develop solutions for the compliance industry. The eBook
was compiled by the editors and contributors of NAVEX Global’s blog, Ethics & Compliance Matters™, and each article
was authored by a current contributor to the blog. You can keep up with the evolution of these trends and others
throughout the year when you subscribe to the Ethics & Compliance Matters Blog.
Definitive Guide Series

Continue your work to build a robust and agile compliance program that keeps pace with an evolving industry with the
best practices found in our Ethics & Compliance Definitive Guide Series.
Definitive Guide to Incident Management

Learn everything you need to create an effective case management program – from planning to implementing to
measuring results - with our comprehensive guide.
Definitive Guide to Third-Party Risk Management

Learn everything you need to know about effectively managing your third-party risk – from defining a due diligence
process to creating risk-based strategy.
Definitive Guide to Ethics & Compliance Training

Find the tools and information you need to define and develop an engaging compliance training program, implement
a multiyear education plan, address your most pressing risks, and measure, evaluate and improve your compliance
training effectiveness.
Definitive Guide to Policy & Procedure Management

Learn how to effectively and efficiently manage your organization’s employee handbook, code of conduct and other
important documents. This guide gives organizations of all sizes insight on how to optimize policy and procedure
management with real-world examples, helpful tips, and research.
Definitive Guide to Compliance Program Assessment

Perform an effective compliance program assessment using industry evidence and insights to evaluate your efforts.
Ensure you can swiftly respond to new laws and regulations, lines of business, geographies and mergers and acquisitions
that add to a growing enterprise your compliance ecosystem must support.
Definitive Guide to Your Code of Conduct

Learn everything you need to transform your code of conduct from a document into a resource that employees can use to
engage with your organization’s goals and values.
39
39
NAVEX Global provides a comprehensive suite of ethics and
compliance software, content and services that help organizations
protect their people, reputation and bottom line. Trusted by
more than 13,000 customers, our solutions are informed by the
largest ethics and compliance community in the world. For more
information, visit www.navexglobal.com.
Americas EMEA + APAC
5500 Meadows Road, Suite 4th Floor, Vantage London
500 Lake Oswego, OR 97035 Great West Road
United States of America Brentford, TW8 9AG
info@navexglobal.com United Kingdom
www.navexglobal.com info@navexglobal.com
+1 (866) 297 0224 www.navexglobal.com/uk
+44 (0) 20 8939 1650
Copyright © 2019 NAVEX Global Inc. All Rights Reserved.

Top 10 Ethics &amp; Compliance Trends for 2019

Uploaded by

Copyright:

Available Formats

You might also like

Top 10 Ethics &amp; Compliance Trends for 2019

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Top 10 Ethics &amp; Compliance Trends for 2019

Uploaded by

Copyright:

Available Formats

A NAVEX Global eBook