Top 10 Risk & Compliance Trends For 2020

A NAVEX Global eBook
Top 10 Risk & Compliance

Trends for 2020
Predictions & Recommendations for the Year Ahead
Table of Contents
I. Managing the Impact of Politics in Our Organizations 3

Author: Ed Petry, Senior Advisor, NAVEX Global
II. Future-Casting Culture in M&A Due Diligence 7

Author: Fernanda Beraldi, Senior Director, Ethics & Compliance, Cummins Inc.
III. Impact of Digitized Environments & Modern Workplaces on Internal Investigations 11

Author: Scott Moritz, Senior Managing Director, FTI Consulting
IV. We Need to Learn How to Train Humans, Not Employees 15

Author: Ingrid Fredeen, VP Online Learning Content, NAVEX Global
V. Sanctions Compliance in the Era of Financial Warfare 19

Author: Mike Volkov, CEO & Owner, The Volkov Law Group, LLC
VI. R3: People Risk, Business Risk, & Regulatory Risk 23

Author: Sam Abadir, Director IRM Industry Solutions, NAVEX Global
VII. Data Privacy Is Not a Law, It’s a Lifestyle 27

Author: Jess Wilburn, Data Privacy Officer & Senior Counsel, CIPP/US, CIPP/E, NAVEX Global
VIII. Today Whistleblower Protections Driven by Legislation, Tomorrow by Value 30

Author: Carrie Penman, Chief Risk & Compliance Officer, NAVEX Global
IX. Finding Your Footing in a Sea of Regulations & Guidance 34

Author: Kristy Grant-Hart, Author & CEO, Spark Compliance Consulting
X. Hotlines, Headlines & Hearsay: When Whistleblowing Is National News 38

Author: Carrie Penman, Chief Risk & Compliance Officer, NAVEX Global
XI. About this Resource 41
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
Introduction
Every year as we prepare for this annual publication, we discuss how the social,
political and environmental landscapes our businesses operate within are growing
more and more complex. We explore the implications of new regulations, new
enforcement of old regulations, and the nuances of human behavior growing
more disparate in a strained cultural climate.
At first blush, this year is no different. We are entering a time of political elections, transitions and regimes rife with
controversy. We’ve experienced a firehose of regulatory activity across the globe, covering everything from sanctions
compliance and data privacy, to enhanced whistleblower protections. And we’re seeing a shift in the appetite for
advocacy and demand for justice from customers and employees alike.
But this is all more of the same for risk and compliance practitioners. We’ve always operated – and flourished – through
complexity. But something does feel different this year. It’s not the complexity itself but a shift in our perspective
and approach to that complexity. External pressures are still very real and comprise a number of our 2020 trends and
predictions; however, this year, many of our trends are a bit more introspective. Yes, we live in a hyper-regulated, hyper-
scrutinized, hyper-transparent world, but even with all these external pressures – and in part because of them – risk and
compliance professionals are looking inward at the programs and the risk management structures, roles and practices
designed to protect our organizations.
Over the past couple decades, we have taught ourselves to be defensive in our approaches to risk management. But no
matter how valiant those efforts are, a defensive strategy will always be a reactive one. And we are currently at a point in
our risk and regulatory development where we are not able to react to everything. We are now unlearning that defensive
nature and developing programs that are proactive.
Mature risk and compliance programs are taking a step back and thinking more holistically about their management
systems. We will never be able to prevent each and every risk, but we can create risk resilient systems. Resilient systems
align efforts across strategic, operational, IT, and compliance risk management capabilities. They manage risk, as well
as prepare for the inevitable risk failure. Resilient systems ensure business continuity, demonstrate overall program
effectiveness, and communicate to employees that risk and compliance is a business priority.
The risk and compliance landscape will always be defined by complexity. We’ve accepted that. We are now moving
on from deconstructing each and every risk and moving toward thinking more holistically about integrating our
strategies to simplify risk management.
1. Managing the Impact of Politics
in Our Organizations
By: Ed Petry But whatever the root cause, politics is creating

Senior Advisor, NAVEX Global significant risks that can quickly undo years of hard
work devoted to building a brand and nurturing an
A key responsibility for any ethics and compliance organizational culture. Managing the impact of politics
professional is to help build and maintain a work may very well be the hardest ethics and compliance
environment where employees are engaged and challenge we will face in the coming year.
cooperate toward common goals. Today’s social and
political climate is making it more difficult to maintain Here are some of the ways politics may have an impact on
collegiality and a positive organizational culture. our work and some suggestions for what you can do to
address the problem.
During the past year, the world has experienced a
resignation and succession in the UK prime minister seat;
Steps for Organizations to Take
the U.S. election year is beginning, and a presidential
impeachment hangs in the air; Brexit still looms large;
Manage Debates in the Breakroom & Beyond
and the future of China, both economically and politically,
continues to evolve. And these are just the highlights. No organization can – or should try – to prevent all
political discussions among employees. Debates are
The seriousness of these events has made heated important for civic and personal reasons and they
debates in the workplace all too common. And while are bound to happen in a diverse workforce. But
the risk of incivility and polarization in the workplace organizations do have a responsibility to help ensure
runs high, the impact of politics is extending beyond discussions remain respectful and never escalate into
just employee relations. Politics and disagreements over instances of harassment or even violence. Here are some
social issues are now causing consumer boycotts and steps to consider:
even employee walkouts.
» Increase your emphasis on awareness and training,
Social media and the many ways it has changed the especially related to your policies pertaining to
norms of discourse is certainly among the causes of this political activity and respect in the workplace.
trend, but – perhaps more fundamentally – politics itself And just as important, remember that consistent
may be to blame. Political discourse has become more enforcement is always essential.
focused on hot-button issues including race, immigration,
» Target your training toward leaders and those
gender, religion, power and fairness. In addition to more
who are identified as “repeat offenders” of office
arcane arguments concerning budgets or foreign policy,
decorum. This may be the most effective way to
politics is now about our identities, how we think about
zero in on those who are responsible for fanning
others, and our personal choices. In a nutshell, politics
the flames and creating troubling hotspots in the
has become very personal.
workplace.
The power of “call-out” or “cancel culture” is real. Call-
out or cancel culture is a form of public shaming where
individuals or companies are vilified for real or perceived
moral or political offenses. A litany of companies have
recently faced boycotts by consumers or walkouts by
their own employees. What can we do to minimize the
risk of being the next victim of organized outrage?
» Leverage the influence you have to make sure that

when decisions are being made about advertising
or other public-facing actions, the right people
have a seat at the table to speak up and challenge
potentially questionable activities. While predicting
what will trigger public outrage is hard, many
instances can be anticipated when filtered through
the right group.
» Ensure leadership as well as public-facing

departments are fully aware of the cancel culture
risks and have detailed action plans in place,
including internal communications plans to quickly
respond when needed. Being proactive and
paying more attention to the risks of triggering
public outrage is essential, but sometimes the best
approach may be preparing for when preemptive
processes are not enough.
Ensure Political Self-Censorship Does Not

Suppress a Speak-Up Culture
When a manager, senior leader or even the CEO speaks
out on a political issue or publicly supports a candidate
or cause, he or she may assume that the lack of any
pushback is a sign that others agree. Unfortunately,
Prepare to Be #Cancelled (While Trying Not to Be) this self-deception can have serious consequences. It
The social and political climate today has created a should be obvious to all that there are many reasons why
minefield for organizations. Every organization is at risk of employees might not publicly disagree with the boss.
a social media fueled backlash that can be sparked by an They may judge that it is not worth the career risk, not
advertisement, a statement by your CEO, or a post by an believe they have enough facts to challenge authority, or
employee. Even well-intended charitable donations can feel that they would be unfairly cast in a negative light by
spark outrage and boycotts if it comes to light that the their colleagues if their views were known. For all of these
charity’s mission or past activities are offensive to some. reasons many employees simply choose to self-censor.
Academics have studied why employees self-censor, and » Evaluate whether surveys and other means of
their findings are important to us because there may be assessing employee engagement are sufficient.
a connection between political self-censorship and the Are they able to indicate if self-censorship and
erosion of an organization’s speak up culture. disengagement are problems at your organization?
It’s hard to tell since the effected employees have
» Create a clear distinction between holding one’s “gone underground” and don’t wish to speak up. If
political tongue and raising one’s voice. When we are not aware of the scope of the problem and
employees believe they cannot voice their opinion or the depth of employee alienation, we may unwittingly
believe their views are not welcome, they may self- have an overly optimistic picture of our organizational
censor and withdraw from discussion. As ethics and culture and be missing an entire employee
compliance professionals, we need to ask whether population that is quietly frustrated or worse.
employees who self-censor from political debates
will also disengage from speaking up in general. Managing the impact of politics on our organizations is
When our leaders speak out on controversial issues, nothing new; however, that impact is growing larger and
they may be cheered on by some, but are we fully more divisive. It is essential for ethics and compliance
aware of the unspoken reaction by others and the officers to be tuned into their colleagues and public
cost? The risk may be exacerbated when leaders sentiment to prevent a damaging political brand event
tie their political opinions to the company’s values. and be prepared to remediate the downstream effects of
If an employee disagrees with the leader’s political such a failure.
views, they now run the risk of being perceived as
disagreeing with their employer’s values.
About the Author
Ed Petry, Senior Advisor, NAVEX Global

Ed joined NAVEX Global in 2004 after almost 10 years as executive director of the Ethics
and Compliance Officer Association (ECOA). Ed served on the Advisory Panel to the U.S.
Sentencing Commission, which was responsible for the 2004 revisions. Earlier in his career
he was a tenured professor of ethics and a prolific author and researcher. At NAVEX Global,
Ed applies his more than 25 years of experience to help companies assess their ethics and
compliance programs. He has also written many of the most admired codes of conduct for
companies worldwide across nearly every industry.
2. Future-Casting Culture
in M&A Due Diligence
By: Fernanda Beraldi Deal Size Expectations by Industry

Senior Director, Ethics & Compliance, Cummins Inc.
Despite global economic uncertainty, M&A activity is 61%
expected to accelerate in the years to come. According TMT 2%

to market research in Deloitte’s “The State of the Deal: 36%
M&A Trends 2019,” 79% of corporate executives expect
M&A deals to increase over the next 12 months. This is up
from already vaulted numbers in 2018.
70%
ENERGY &
Along with an uptick in deal volume, corporate executives RESOURCES 2%
believe M&A will be defined by higher dollar amounts 27%
and more diversity of targets. Technology acquisition has

reigned supreme as of late, but companies are expecting
to pivot to using acquisition as a means to expand their
62%
customer bases into existing markets as well as diversify
MANUFACTURING 1%
product and service offerings.
37%
While M&A outlooks are optimistic, there is a data point

that should not be glossed over: “About 40% of survey
respondents say that half their deals fail to generate the 63%
value they expected at the onset of a transaction.” That FINANCIAL SERVICES
(INCLUDING REAL ESTATE) 0%
is a significant failure rate. Failures can often be tied to
37%
unfavorable economic or market forces or a change in the
regulatory landscape, which can curtail initial plans for
expansion or integration. However, one aspect for failure
or success is often downplayed – culture. One in five 73%
LIFE SCIENCES &
corporate and private equity buyers highlighted HEALTH CARE 4%
“not achieving cultural alignment” as a limiting factor 23%
of success. I believe we will see this change in the years
to come.
INCREASE
KEY DECREASE
STAY THE SAME
Source: Deloitte: “The State of the Deal: M&A Trends 2019”
Using Cultural Insights to As M&A due diligence continues to
Maximize M&A Deal Success
mature, I believe we will begin to
At its base, M&A due diligence is an exercise in close the gap of cultural alignment
determining valuation and actualizing liability. Risk and and assessment. Here practices will
compliance professionals often focus on the latter, but
evolve to accurately assess a target’s
can also play a part in future valuation and deal success
when the right intelligence is uncovered. corporate culture today and, more
importantly, tomorrow.
Most M&A due diligence processes perform a thorough
evaluation of the compliance program, its policies and
procedures, its code of conduct, and its ethics and
compliance training curriculum. Just as in an external
substantiated. While those reports, cases and resolutions
audit of your own internal compliance programs, no
are important, I also want insight into the 58% of reports
stone should be left unturned – no program outcome
that were not substantiated. Who made them? What part
left unreviewed. This process generally results in a
of the organization did they come from? Why were they
narrative for liability to be weighed against risk tolerance;
unsubstantiated?
however, as deal success rates indicate, there is room for
improvement.
This is where we get into the future-casting state of
due diligence. The facts we could derive from process
As M&A due diligence continues to mature, I believe
review and the substantiated facts we could see from
we will begin to close the gap of cultural alignment and
aggregate incident management records may help
assessment. Here, practices will evolve to accurately
determine the target’s corporate culture and risk at
assess a target’s corporate culture today and, more
time of purchase. Corporate culture, however, can also
importantly, tomorrow.
inform future risk. One could get a hint at that culture
through substantiated case files, but it is a curated view
Steps for Organizations to Take of the culture prepared by the target. That is not to say
there is anything suspicious about that curation, but it
Go Beyond Substantiated Reports to will always be an interpretation. And I am positive that
Find Unfiltered Information Streams compliance officers out there prefer to make their own
Corporate culture is hard enough to evaluate in our own interpretations.
organizations, let alone trying to assess the culture of an
entirely different company. This is where organizations Better Define Cultural Valuation
can turn to aggregate, unfiltered internal hotline Based on Speak-Up Track Record
reporting data for a complementary stream of due
Use aggregate hotline data to get a better understanding
diligence intelligence. And I’ll emphasize “aggregate”
of what a speak-up culture is like at a target. Do
and “unfiltered.” Internal whistleblower hotline and
employees feel empowered to report misconduct? Are
incident management data is likely already part of
they properly trained on values and expectations for
most M&A due diligence processes, but this is usually
the corporation? Does the company really know what
relegated to substantiated case reports.
risk looks like, and is the culture equipped to support
enterprise-wide hygiene? Or is their potential cynicism or
According to NAVEX Global’s 2019 Ethics & Compliance
distrust brewing beneath the surface?
Hotline Benchmark Report, 42% of internal reports were
Aside from the cultural intelligence that aggregate liability embedded within the corporate culture they are
hotline data provides, the volume of reports can be integrating.
just as informative. Recent research out of George
Washington School of Business provides empirical M&A activity shows no signs of slowing in 2020 or in the
evidence that internal hotline reporting activity and years to come. To keep pace confidently, organizations
business performance are positively correlated. While will have to prioritize cultural alignment and assessment
the long list of performance indicators included in the and explore new ways to do that effectively. Internal
research is impressive, I am most intrigued by the finding whistleblower hotline data is surfacing as one of the most
that, “firms that actively utilized their hotlines received, elucidating information streams we have at our disposal
on average, 46% fewer negative news stories than when assessing and cultivating our own corporate
businesses with low or infrequent internal reporting use.” cultures. Now that we are seeing the predicative benefits
of that data, there is no reason compliance should not be
The last thing one would want during a post-acquisition incorporating it as a standard part of M&A processes, in
phase is a reputation-damaging news cycle, so the addition to just “digging” at substantiated reports.
first thing a compliance officer should be looking at is
whether they can have a clear-eyed view of the future
About the Author
Fernanda Beraldi, Senior Director, Ethics & Compliance, Cummins Inc.

Fernanda Beraldi works for Cummins Inc. in Indianapolis as Senior Director, Ethics and
Compliance. Cummins is a Fortune 150 multinational with operations in more than 190
countries and that has been selected 12 years in a row as one of the Ethisphere’s “Most
Ethical Companies.” Fernanda has 16 years of legal experience, and started at Cummins in
July 2015 as Director, Ethics and Compliance – Latin America, after having worked for more
than six years for the third-largest aircraft manufacturer, Embraer SA. She is a dual-licensed
(Brazil and Indiana) lawyer from Mackenzie University in Sao Paulo, Brazil. During the Master
of Laws program at Robert H. McKinney School of Law in Indianapolis, she served as a Spring
Extern for Justice Steven David at the Indiana Supreme Court and for Eli Lilly and Company.
Fernanda completed her Master of Laws program in Corporate and Commercial Law in 2015,
graduating cum laude. She was also one of the commencement speakers.
3. Impact of Digitized Environments &
Modern Workplaces on Internal Investigations
By: Scott Moritz scale frauds in connection with pay-per-click advertising

Senior Managing Director, FTI Consulting and other forms of online advertising fraud. Yes, large
scale, global e-commerce platforms enable small
One of the hallmarks of a successful investigation is businesses to sell their products worldwide, but sellers’
rooted in the expression “knowing what you don’t accounts are susceptible to being hijacked and their
know.” An experienced investigator knows a lot about customer remittances intercepted.
a lot of things – different types of fraud, corruption,
theft, misconduct, and the psychology underlying It’s not just new business paradigms that are posing
what motivates people to violate the trust that has challenges in complex investigations, but specifically the
been placed in them. They also know how these broad rapid increase of the adoption of new technologies and
categories of investigative incidents play out in different the inherent risk they bring to organizations.
industries, organizations, countries and cultures.
Financial Crime & Cybercrime
Of even greater importance than what the investigator
Will Continue to Converge
knows through experience is knowing and recognizing
It is a rare internal investigation that doesn’t entail
what is unknown. This extends not just to facts but
forensic data analysis of terabytes of email, instant
is often related to subject matter expertise. An
messaging, accounting, business and banking records
investigator’s ability to readily recognize what is unknown,
– that’s nothing new. But what is relatively new is that
and the corresponding subject matter expertise that is
many financial crimes are cyber-enabled. This means that
needed, has never been more important or relevant than
financial crime investigators and forensic accountants
it is right now.
need to understand network security and the software
The dizzying pace of technological growth and systems underlying enterprise resource planning,
innovation has created increasingly complex digital expense reporting, payroll, procurement, and electronic
environments and workplaces that are putting the banking.
concept of knowing what you don’t know to the test. In
Organizations’ reliance on information systems has also
response, the investigative and forensic accounting field
been exploited for the purpose of state-sponsored
is going through a significant metamorphosis to track
economic espionage and cyber extortion using
with the exponential expansion of the use of electronic
ransomware. And as if that isn’t sufficiently complex,
data and technology.
completely new digital business paradigms have come
Consider the recent highly publicized investigations of into existence requiring investigators to understand what
social media companies that have focused on how these goes on under the hood in companies across a spectrum
platforms are interacting with and accessing user data. of new industries, many of which didn’t exist 10 or 15
Or how Internet search engines have experienced large years ago.
11
The rules of evidence and investigative processes
have not changed much over the last 100 years. And
investigators must still gather information from whatever
sources are available. What has changed though is the
need to understand the type of information that is being
created and stored, how the evidence within those data
stores must be preserved, acquired and analyzed, and
the team and skillsets that will be needed to bring the
investigation to a successful conclusion.
To keep pace with the digitized workplace, investigators

will not have to define a new set of best practices but
evolve how traditional best practices will be applied.
Extend Your Subject Matter Expertise

Most successful investigators rely upon multiple
disciplines and skillsets to conduct complex
investigations. Artificial intelligence, machine learning
and robotic process automation have become a part of
an investigator’s standard toolkit. But even with these
advanced tools, investigators who work on behalf of
complex organizations need to be able to tap into an
even broader array of subject matter expertise in order
to understand the digital environments of their clients
and how best to leverage that expertise as investigators.
Each of these new business environments and paradigms
requires that subject matter experts work alongside
investigators to assist them in gathering evidence,
identifying the responsible parties, and assisting client
organizations to pursue avenues of financial recovery and
remediate any control weaknesses that may have been
exposed during the investigation.
Understand the Evolving Arc

of the Modern Investigation
The standard arc of an investigation includes the need
to gain an understanding of the victim or subject
organization, its products and services, the larger
industry or industries in which it participates, and
the problematic conduct that is at the center of the
investigation. Once an investigator has that context and
12
an understanding of the allegations at hand, an initial Investigators used to think nothing of forensically
picture emerges as to what information must be gathered imaging hard drives or acquiring email in one country
and analyzed. Investigative steps should then be taken and bringing it back home to another for analysis. More
to determine whether the allegations have merit and to recently, the default approach is for data to never leave
gather the evidence needed. that country and instead for it to be analyzed locally
to avoid potentially violating one or more privacy laws.
Complex investigations with large volumes of Every investigative plan must consider the data privacy
information, perhaps multiple allegations and conduct implications of the investigation at inception.
that span multiple geographies, oftentimes suggest
the need to assemble an investigative team made up of Investigations are inherently learning experiences.
multiple skillsets and disciplines. This multi-disciplined Investigative processes are about ingesting and analyzing
approach to investigations has never been more information at an accelerated rate. The same is true
important given the widespread use of new technologies. about digitization. Bringing these two processes into
harmony is not as difficult as it may seem. It starts with
Navigate the Delicate Landscape of Privacy Law knowing what you don’t know.
Further adding to the challenge facing investigators

The views expressed herein are those of the author
is the rise in information privacy laws and regulations.
and not necessarily the views of FTI Consulting, Inc., its
Personally identifiable information (PII), personal health
management, its subsidiaries, its affiliates, or its other
information, intellectual property, and “state secrets”
professionals.
are all things that investigators must consider and plan
for at the outset of an investigation. In many instances,
it is necessary for investigators to acquire and analyze
extremely sensitive and private information and to do so
in a way that does not create liability for the company on
whose behalf the investigation is being conducted.
About the Author
Scott Moritz, Senior Managing Director, FTI Consulting

Scott Moritz is a Senior Managing Director in the Global Risk & Investigations Practice.
He has more than 32 years of experience in combined law enforcement and investigative
consulting, forensic accounting, and regulatory compliance advisory experience. Mr. Moritz
assists clients and their outside counsel in managing their response to “bet the company”
event-driven financial crime, misconduct and bribery investigations. He works with company
leadership, audit committees, outside auditors, legal counsel and law enforcement and
regulatory agencies with whom he shares the results of the investigation.
13
4. We Need to Learn How to
Train Humans, Not Employees
By: Ingrid Fredeen that presents employers with a new challenge and
VP Online Learning Content, NAVEX Global opportunity. However, the learning curve is steep and
the deadline to acquire these skills is yesterday.
This article could very well have been about the
evolution of #MeToo, or the latest corporate walkout/ According to respondents in NAVEX Global’s 2019
sit-down/boycott, or how cancel culture is leaving no Definitive Corporate Compliance Benchmark Report,
company, brand or person safe from being “cancelled.” training, communications and awareness programs are
As someone whose profession requires a keen the vehicles through which we help organizations connect
understanding of behavioral sciences, I have an endless with purposeful and passionate employees. In the report,
supply of social and organizational trends I could identify training is indicated to:
and deconstruct. However, the most expansive trend I am
seeing is not in human behavior – but in humans. » Improve trust in leadership
» Increase employee morale

Today, organizations are no longer managing employees.
Employees are people who clock in, think about work, » Reduce legal liability
complete tasks, talk with colleagues, and then clock
out to go live their lives. That is not the reality of the » Increase the number of employees who report issues
modern workplace. Forward-thinking businesses have
worked hard to develop cultures where employees are For training programs to continue delivering on these
encouraged to bring their full selves to the job. This has goals during this evolution toward human-centric
increased productivity, creativity, innovation and personal workforces, traditional training programs must evolve. We
investment in “the work.” It has also evoked a keystone must figure out how the broad structure of the programs
change in business environments. People who bring their we implement will align themselves with the current
whole selves to work are not employees; they are human social environment and our own organizational values.
beings. And humans need a different framework for
management.
The Multidimensional Workforce Get Ahead of Disruptive Social Movements
Needs Multidimensional Training With Transparency in Training & Awareness
Humans are driven by purpose and passion. In the As a means of driving purpose and passion in the
absence of a social movement, this purpose and workplace, organizations have become adept at
passion is directed toward innovations in work. In the articulating corporate values. We are less good at
wake of a social movement, that same purpose and anticipating exactly how those values and our corporate
passion is redirected toward justice, restoration and actions toward them will be interpreted by our people.
change. Organizations have decades of experience For example, employees may gather together physically
and varying degrees of expertise managing employees or virtually to protest an unfair termination or the sourcing
in an innovation framework. It is this other framework
15
People are already motivated to raise Train the Human, Not the Employee
their voices. With the proper channels People are coming into their roles with more emotional,
political, and social affinities than ever before. A
for communication and encouragement
60-minute training course will never counterbalance the
for reporting, organizations can drive human inertia in the workplace when people bring their
people to speak up internally rather full selves to work. We need to go beneath the surface,
go beyond checking the box, and actually design training
than speak out externally.
curriculums that effectively map to our cultures. For
every training and awareness activity, ask yourself – have
I made this relevant to an employee? Does the content
connect with them more deeply than just on a purely risk
or legal level? Will my employees better understand why
of materials from a third party they dislike. With the help our organization approaches this area of risk in a certain
of social media and a growing penchant for advocacy, way and how it ties back to our organization’s values?
employees now have the ability to force an organization The key is to start thinking about learners as not just
to change or explain their actions and be prepared to employees but rather as human beings with interest and
deal with the consequences of those decisions. passions outside of the workplace.
Oftentimes organizations are caught off guard when

Prioritize the Audience in Training
corporate values are questioned. The first time
organizational leadership may hear about dissent might
Curriculum Mapping
be when they have to enter the building through a sea Relevance in this new environment is vital – learners
of protesting employees. To get ahead of these events, need and want to understand how the content they are
organizations need to embrace transparency to be learning is relevant to them and how it aligns with the
aware of and understand prevailing sentiments. People organization and its values. It will be near impossible to
are already motivated to raise their voices. With the do this for every single compliance topic, but there are
proper channels for communication and encouragement many opportunities across the courses you deploy to get
for reporting, organizations can drive people to speak this right.
up internally rather than speak out externally. One key
modification here could be to create a system that not Training curriculums need to effectively map the
only allows employees to express their concerns but also compliance message through three categories: training
their values. topics, audience needs, and content format. When
mapped properly, a meaningful risk narrative is translated
This requires awareness campaigns that inform to the right people, about the right things, in the right
employees on exactly how the organization processes way. All steps are important, but today’s changing
and evaluates concerns and values on social issues. It workforce requires additional emphasis on audience
requires training on how best to raise your voice within needs. For each audience determine the depth and
the organization in ways that are both respectful and frequency of training needed.
effective. And finally, it requires driving awareness of
the organizational responses to employee reports.
Transparency allows employees to trust the organization
because they have the visibility necessary to verify its
actions.
16
Consider these questions: » Will this course help build trust in our organization
and its leaders that we are serious about getting
» Who has computers? Who works at a desk? this right?
Who works primarily away from a desk?
» Is the course more than a recitation of legal principles
» Who has high exposure to specific risks? – is it relevant and meaningful?
» Who has learning constraints based on education

level, language or location? The purpose-driven employee is key to the success of
innovative and growing companies. It is a tremendous
» Who is the individual beyond their role – techie, hands- business asset to have employees who bring their full
on learner, introvert, extrovert, remote worker, etc. selves to work. We now have to take the necessary steps
to evolve our workplace practices to accommodate
» At what depth should each audience be educated
humans, not just employees. And for that, training,
per topic?
awareness and communications will be key.
» Does the content effectively share information about
our organization’s values?
About the Author
Ingrid Fredeen, Vice President, Online Learning Content, NAVEX Global

Ingrid Fredeen, J.D., Vice President, Online Learning Content, has been specializing in ethics
and legal compliance training for more than 10 years. She has been the principal design and
content developer for NAVEX Global’s online training course initiatives utilizing her more
than 20 years of specialization in employment law and legal compliance. Prior to joining
NAVEX Global, Ingrid worked both as a litigator with Littler Mendelson, the world’s largest
employment law firm, and as in-house corporate counsel for General Mills, Inc. a premier
Fortune 500 food manufacturing company.
17
5. Sanctions Compliance in the
Era of Financial Warfare
By: Michael Volkov The Future of OFAC Compliance

CEO & Owner, The Volkov Law Group, LLC OFAC’s application of these sanctions has taken on new
life under the leadership of Sigal Mandelker, the Under
On May 1, 2019, the world of sanctions compliance was
Secretary of the Treasury for Terrorism and Financial
upended when the U.S. Department of the Treasury’s
Intelligence. Sigal, who I had the pleasure of working
Office of Foreign Assets Control (OFAC) decided to
with during her tenure at the Department of Justice
jump into the compliance game by issuing its first-ever
(DOJ), has played an instrumental role in transforming
Framework for OFAC Compliance Commitments. Like
the expectations placed on all companies that do
the U.S. Department of Justice’s Evaluation of Corporate
business abroad. A former Deputy Assistant Attorney
Compliance Programs, this framework sets forth
General, she has worked closely with the DOJ and has
OFAC’s expectations as to what it believes a sanctions
demonstrated a willingness to refer sanctions violators
compliance program (SCP) should look like. However,
to DOJ for criminal investigation. Although she left the
while the DOJ guidance further clarified existing policy,
Treasury Department this past October, there is every
OFAC’s framework imposed significant new obligations.
reason to believe that OFAC will continue upholding the
Perhaps even more importantly, the document signals a
trends she began. In fact, I predict that the relationship
fundamental shift with respect to how OFAC will apply,
between OFAC and DOJ will eventually mirror the latter’s
monitor and enforce sanctions against organizations
relationship with the SEC, with the two agencies working
going forward.
in close coordination to address both civil and criminal
enforcement, respectively.
These changes partly stem from even broader evolutions
in U.S. foreign policy. Throughout the past decade,
Perhaps the most interesting component of OFAC’s new
presidential administrations from both parties have
guidance is the implicit message that OFAC no longer
demonstrated increasing appetites for using cross-
cares why your program failed. It doesn’t matter if your
industry sanctions to target rogue regimes, a practice
violations were made in earnest, or if they resulted from
that former U.S. Treasury and National Security Council
actions taken by your third party without your knowledge.
official Juan Zarate has described as “the unleashing of a
Regulators no longer want to hear your excuses.
new era of financial warfare.” The sweeping U.S. sanctions
against Iran, first levied under the prior administration This means that all organizations subject to OFAC
in 2010 and re-applied by the current administration in jurisdiction need to elevate their game. The Treasury
2018, are perhaps the most high-profile example of this has made it clear that compliance will no longer be
approach. However, similar sanctions have also been measured in steps taken but in results achieved. It
enacted against other rogue regimes such as Venezuela is no longer enough to conduct a cursory screen of
and Russia. your suppliers or distributors, nor will ignorance serve
as a defense. Any company engaged in international
commerce, including those with foreign services, clients,
and customers, needs to have a fully functioning SCP.
19
You don’t need to go far to determine the steps
organizations must take to align with new sanctions
compliance expectations. OFAC provides a five-part
prescription.
1. Get Senior Management Commitment

OFAC’s definition of commitment is technically precise
and relies on measurable actions undertaken by senior
leadership. Leaders must:
» Actively review and approve the organization’s SCP
» Designate a dedicated OFAC sanctions compliance

officer, and imbue that role with authority and
autonomy
» Create effective internal systems for whistleblowers

to report misconduct
» Severely and publicly punish violators to demonstrate

the organization’s commitment to compliance to all
members of the organization.
» Offer strong reporting mechanisms
2. Tailor Program to Risk Profile

The guidance radically expands the responsibility of
contracting organizations, plainly stating that there are a
“multitude of areas organizations should include in their
risk assessments.” Assessments should rely not only on
customer-provided information, but on independent
research. A third party’s failure to disclose incriminating
information is no excuse, as it is incumbent upon the
contracting organization to rigorously vet any potential
partner. Assessments should also be performed during
all mergers and acquisitions. Critically, the new OFAC
guidelines require that such evaluations be performed
“with a frequency…that adequately accounts for potential
risks.” Under this new policy, risk assessments must be
regularly updated in response to violations or deficiencies
uncovered during testing or audit functions.
20
3. Evaluate Internal Controls & Calibrate Solutions 5. Train Appropriate Personnel
Once an organization has completed its initial risk Finally, the OFAC guidance requires firms to implement
assessment and profile, it must adequately address the training programs for all appropriate employees and
results through policies and procedures that clearly and personnel. While training has traditionally been part of
effectively identify, interdict, escalate, record and report SCPs, what is noticeably different here is the frequency.
prohibited activities. Here, OFAC specifically states OFAC now requires training to be provided annually at a
its expectation that organizations utilize “information minimum. Further, training should be tailored to both the
technology solutions” to manage this complex task. entity’s risk profile and each employee’s individual role.
However, the adoption of a technology solution alone is Training should also be extended to the organization’s
not enough. The guidance stipulates that organizations external stakeholders, including clients, suppliers and
must select and calibrate solutions “in a manner that is business partners.
appropriate to address the organization’s risk profile and
compliance needs.” These sweeping new responsibilities and obligations for
entities with partners, clients, suppliers, distributors or
customers overseas are not spurious. They are the direct
4. Test & Audit
and considered consequence of long-term U.S. foreign
Of course, an organization’s risk profile is not static,
policy, and they are likely to expand rather than recede
nor do internal controls or technology solutions come
with time.
perfectly calibrated. Effective SCPs are audited and
tested regularly to check for weaknesses and deficiencies. While the challenges posed by the new OFAC guidance
OFAC expects SCP elements to be routinely recalibrated may seem daunting, firms can and should use this
to account for changing risks. Such testing functions moment as an opportunity to imbue their compliance
should be comprehensive, objective, independent and functions with the authority, autonomy, resources and
accountable to senior management. When test results technology that regulators now expect of them. We
are negative, corrective action should be immediate and are entering a year of change in the sanctions world
effective. It should also address the “root causes” of as successful businesses and compliance programs
failures, rather than focusing on their symptoms. anticipate these shifts in the compliance landscape and
adapt accordingly.
About the Author
Michael Volkov, CEO and Owner The Volkov Law Group, LLC
Michael Volkov, CEO and owner of The Volkov Law Group, LLC, has over 30 years of
experience in practicing law. A former federal prosecutor and veteran white collar defense
attorney, he has expertise in areas of compliance, internal investigations and enforcement
matters. Mr. Volkov spent 17 years as a federal prosecutor in the U.S. Attorney’s Office for the
District of Columbia. As an Assistant U.S. Attorney, he had over 75 jury trials and extensive
federal court experience. He also served on the Senate and House Judiciary Committees
as the chief crime and terrorism counsel for the respective committees. In addition, Mr.
Volkov served as a deputy assistant attorney general in the Office of Legislative Affairs of
the U.S. Department of Justice (DOJ) and as a trial attorney in the DOJ’s Antitrust Division.
Michael Volkov maintains a highly popular FCPA blog, Corruption, Crime & Compliance. He
is a regular speaker at events around the globe, and is frequently cited in the media for his
knowledge on criminal issues, enforcement matters, compliance and corporate governance.
21
6. Risk 3: People Risk, Business Risk,
& Regulatory Risk
By: Sam Abadir Developing a federated but enterprise-wide perspective

Director, IRM Industry Solutions, NAVEX Global of risk creates a shared vantage point, shared
understanding, and shared approach to these major risk
As we enter the 2020s, the fiscal, operational and categories that still allow for risk to be actionable in the
reputational integrities of companies are being user’s context. This evolves risk management from a rigid
threatened by new and evolving risks. Proliferating structure to a resilient structure.
regulations are demanding constant review and
alignment. Data retention practices are turning Creating a Single Resilient Risk
businesses into risk storehouses. And third and fourth
Management Architecture
party risk are extending organizational risk into the
Disparate approaches to risk management create
broader world. Preventing all risk has never been a
siloes with blind spots, redundancies and conflicts.
mature approach to risk management, and in today’s
These silos turn into seams through which modern risk
world, it is no longer a tenable strategy. How we manage
enters our organizations. While IT security, strategy,
evolving risk will play a key role in how successful our
compliance, and legal teams may all have best-practice
companies are in the future marketplace.
risk-management strategies, if those strategies are not
Traditional preventive risk management structures operationalized in agile ways that inform one another,
are strong but rigid. They are designed to address we can simply shift risk without addressing it.
individual threats that are often direct and blunt. In
We can see this more clearly when looking through the
these structures, we apply more internal controls and
eyes of the board. Directors no longer want five different
protective measures to shore up our vulnerabilities.
executives talking about the same types of risk in five
However, risk has changed. It’s not simply forceful. It’s
different ways. They want a consistent and simplified
fluid. It’s subtle. It’s voluminous. These changes have
narrative driven by a cohesive risk management strategy.
made rigid approaches increasingly more reactive rather
How this strategy is tailored across roles, teams and
than responsive.
functions may be unique, but it should all track back
The future of risk management will be in how we up into the same dataset – the same overarching risk
embrace risk through a holistic yet agile approach. This architecture.
requires a better understanding of how we address our
The holistic architecture of people, regulatory and
organization’s most immediate and damaging risks:
business risk can further be seen in one of our industry’s
people risk, business risk, and regulatory risk. Yes, there
growing concerns – data privacy. Data privacy law has
is IT security, data privacy, health and safety standards,
redefined regulatory expectations for organizations.
and legislative risk – but these categories should
A key aspect of privacy law is embedding a privacy
ultimately align with the regulations that define them;
by design approach into everything we do. Next, the
support business operations while managing operational
business processes, systems and technologies we
risk; and drive employee bases that are both inspired
implement need to operationalize privacy. Lastly, the
and ethical.
point of risk ultimately sits with our people. Will an
23
year-over-year growth expectations. The end goal for
every organization should be a single architecture for risk
management. This ensures that the individual strategies
deployed across separate business functions inform and
respond to enterprise needs.
Understand the Full Life Cycle of Risk

Broad risk categories are operationalized when individual
risk life cycles are properly mapped. The steps below
map out an organization’s relationship with risk.
1. Define your organizational risk profile
2. Identify the inherent risks to your business, industry

and region
3. Define and articulate your organizational risk

tolerance by clearly indicating which risks are to be
accepted, absorbed, mitigated or avoided
4. Design internal controls that operationalize that risk

tolerance
employee follow data handling best practices when the
5. Ensure your business ecosystem – customers,
time comes? Will they intentionally or unintentionally
employees and vendors – are aware of their
share protected information? Or will they open that
responsibilities for managing their business in
phishing email?
an ethical manner and within the bounds of the
designed controls. This is usually performed with
Whether in a presentation to the board or in day-to-day
a robust risk management program incorporating
management, an actionable risk and compliance narrative
and integrated policy, training, and control testing
driven by an integrated risk architecture is essential.
approach
6. Monitor controls to ensure they are in acceptable

tolerances and not showing signs of risk
Understand Your Organization’s Risk Composition 7. Prepare for the potential failure with remediation
While every organization has people, regulatory and strategies and resiliency plans that manage
business risk, how those risks compose the whole will downstream events strategies that manage
be unique to your organization. Financial institutions downstream consequences
may prioritize regulatory risk and manage people and
business risk around that. Manufactures may start Monitor Consistently & Continuously
with their business risk and ensure operations align Once the life cycle is defined and operationalized, we
with regulatory requirements and employee relations. can then take a risk-based approach to monitoring
Retail organizations with large salesforces may lean our risk. An example of this is in our third party due
heavily into people risk while ensuring their third-party diligence and screening practices. These same risk-
suppliers do not jeopardize their business risk. And every based, continuous monitoring efforts should be reflected
organization must manage strategic risk that comes with in our internal tools, processes and assessments. While
24
vendor risk management may track different factors, our of data privacy and security. For instance, your data
internal efforts should mimic its risk-based cadence for privacy officer is probably a lawyer. While they can inform
monitoring our leading risk indicators. Internally, this each team of what the law says, they need privacy-
will often include monitoring things like sales figures, minded counterparts in each team who can translate
marketing performance, digital risk, API integrations, or what CCPA or GDPR alignment looks like in practice for
travel bookings among others. For this, we need a risk engineering, customer service, accounting, information
architecture that identifies risk and is responsive enough security and IT, etc.
to identify when those risks change.
Our technology solutions need to be holistic as well. Risk
management software is essential to automate processes
Increase Transparency
and programs, and solutions themselves cannot be
Risk management, once a unique responsibility within
siloed. Individual solutions that do not speak to one
individual departments, needs to be elevated from its
another or ultimately track into an enterprise-wide system
siloed roots. Unfortunately, there will most likely always
can unintentionally automate risk for other departments.
be siloes – that is the business reality we live in. The
A flexible platform solution, or at least an integrated risk
goal, however, is to create systems that force those
management approach, that supports actionable, risk-
siloes to identify the relevant information that needs to
based management in an auditable manner will ensure
be communicated across, and integrated into, global
that transparency is embedded into the solutions we
operations. This will create a common risk vocabulary
deploy to manage our risks.
and increase transparency so that siloes do not create
confusion and volumes of extra spreadsheet work that When you think about risk holistically, you broaden your
increase administration and decrease accuracy. perspective on the full breadth of the risk ecosystem your
business operates in. This creates more visibility into the
This requires departmental personnel to physically
complexity. While we will never be able to reduce the
(or virtually) get up from their seats and build working
complexity of the risk landscapes our businesses operate
relationships with their counterparts in adjacent
within, we are able to simplify the approaches we take to
departments. This again can be seen clearly in the role
effectively manage that risk.
About the Author
Sam Abadir, Director, IRM Industry Solutions, NAVEX Global

Abadir has more than 20 years of experience helping companies realize value through
improving processes, identifying performance metrics, and understanding risk. Abadir is a
veteran of both the Big 4 Consulting world and the Software Development industry with over
20 years of experience managing teams from two to 400 people. He is currently working to
educate the world on governance, risk and compliance, and help organizations use the data
and content around them to better manage risk.
25
7. Data Privacy Is Not a Law, It’s a Lifestyle
By: Jess Wilburn 40% of countries do not, though most likely will soon. In
Data Privacy Officer & Senior Counsel, the United States, no federal standard is likely to emerge
CIPP/US, CIPP/E, NAVEX Global in the near future, meaning individual state-level laws
will continue to proliferate. Outside of new laws, the
The words “hodgepodge” and “patchwork” are overused application of existing data privacy law will continue to
in the world of risk and compliance, but they’re certainly evolve with each enforcement action. For instance, an
appropriate for describing the myriad data privacy early 2019 enforcement action against Google taught
regulations popping up around the world. us that transparency and specificity are required to
obtain “informed consent” from consumers. This forced
In 2018, the world of data privacy was shaken by the companies to take a look at how their own privacy
enforcement of the EU’s General Data Protection statements and policies meet standards.
Regulation (GDPR). In 2019, a subset of the world braced
itself again for the California Consumer Privacy Act While GDPR compliance is a continuous journey that
(CCPA). Together, these two regulations fueled most of isn’t ending anytime soon, the most significant changes
the headlines for companies and consumers alike, and we will see will likely come from ripple effects from
for good reason. They are expansive and prescriptive. the recently launched CCPA. Under CCPA, California
However, the reality is they comprise only a small fraction consumers may request:
of global data privacy legislation.
» What personal information is being collected and why
As we enter the early 2020s, there will be more than 100
» For personal information to be deleted
countries with data privacy legislation in place. Along
with the international sprawl of privacy law, in the United » To obtain information about onward disclosures and
States there are a number of similar-but-different state the “selling” of their personal information
laws in the offing. All of this means that organizations
managing data and operating across borders must be » The categories of third parties with whom their data
exceedingly vigilant in how they navigate the wide array is shared, or from whom it was acquired
of data privacy regulations.
In many ways CCPA is more of the same from GDPR, with
In Data Privacy Law, Change Is the Only Constant additional specificity around the methods provided to
consumers for requesting their data. Here organizations
In 2020, “change” will define our existence as
in scope will need to provide consumers with “at a
organizations operating in a world of heightened
minimum, a toll-free telephone number, and if the
appreciation for an individual’s personally identifiable
business maintains an Internet Web site, a Web site
information (PII).
address.” We can expect to see echoed requirements
at a state and global level over the next couple years
While more than 100 countries currently have data
and beyond.
privacy legislation in place, that also means more than
27
This state of constant change will create an environment Whether formally or informally, the data ambassadors
where organizations will not only have to continually you’ve identified throughout the organization and those
define and refine data privacy processes and procedures, specifically hired for privacy should come together to
but also define and refine organizational structures that create a privacy committee. This committee should meet
process data, skillsets of individuals who manage data, regularly, discuss internal and external evolutions, and be
and the relationship the company has with PII. change agents who embed better data privacy across the
organization.
Steps for an Organization to Take

Master the Full Life Cycle of PII
In short, effective data privacy will not come from a policy
The real work in this new age of privacy law comes in
or procedure change, but a lifestyle change. Cavalier
the processing and fulfilling of data subject access
data management no longer holds water. Organizations
requests. This challenge is going to be a continual hurdle
are expected to live and breathe “privacy by design.”
for companies as we venture deeper into the era of
heightened data privacy requirements. For this we need
Find & Develop Your Data Privacy People to become masters of the full life cycle of the PII our
With GDPR, hiring a data privacy officer was a key organizations touch.
initiative for many organizations. Today, just two years
later, DPOs are often assumed. Data privacy now Data mapping is key here and requires you to understand
needs to be embedded deeply and uniquely across what data types you collect, where you store it, who
the organization. This starts with the DPO integrating processes it, where the access points are, and what your
themselves into each data processing activity within data retention practices are. Data handling practices
the organization. Each team should have a privacy should then be formalized throughout the organization
representative or champion who can effectively speak by codifying data privacy best practices through updated
to the team’s data practices, usage and retention. privacy policies and data privacy compliance training
These relationships are key; a DPO can tell you what the designed to educate the critical personnel who collect,
privacy requirements are, but they will need functional manage or process data within the organization
experts to help translate and apply the law across
different use cases. With your extended data privacy team developed and
the full life cycle of PII properly managed, delivery on
I expect we will also see a growing trend of data privacy effective data privacy will become second nature for your
titles being hired in departments like engineering, organization.
marketing and customer services. Privacy by design is
best when those designing the programs and practices
are not only functional experts but also data experts.
About the Author
Jess Wilburn, Data Privacy Officer & Senior Counsel, CIPP/US, CIPP/E
As Data Privacy Officer & Senior Counsel, Jessica leads data privacy for NAVEX Global,
advising on compliance across all aspects of global privacy law and regulations. She has been
with the organization for over four years, initially focusing on the negotiation of Software-as-
a-Service (SaaS) agreements and data transfer and processing agreements. Jessica spent the
majority of 2017 in our London office, working with individuals from around the globe on the
impact of global data privacy laws.
28
8. Today Whistleblower Protections Driven
by Legislation, Tomorrow by Value
By: Carrie Penman In either case, the effects will be profound. Let’s review
Chief Risk & Compliance Officer, NAVEX Global some of the recent developments to understand why.
During 2019, whistleblower protections around the Whistleblower Protection Developments

world increased significantly – with lasting effects that
1. The European Union’s new whistleblower directive,
will reverberate as we enter the 2020s. Whistleblower
set to take effect in 2021, is arguably the most
regulations, standards and guidance emerged at a record
comprehensive set of whistleblower protections
pace, and with an unprecedented geographic footprint.
in recent years. It seeks to normalize requirements
This is even after a year of significant whistleblower
across the EU while advancing a common
legislative activity in 2018 from Germany, Spain and Italy.
understanding of appropriate reporting channels for
While whistleblower protections are increasing in volume, every organization with over 50 employees, as well as
they are also increasing in prescription. This velocity and municipalities and public institutions.
prescriptiveness is forcing a form of soul-searching for
whistleblower programs (or internal reporting systems as Affected organizations will be required to create or
I prefer to describe them) at every stage of the maturity update their reporting channels and ban all forms of
scale. For organizations that have not yet implemented retaliation. The burden of proof shifts to employers
a whistleblower program, these regulations will require when retaliation is alleged. For the first time, all
considerable effort to implement, as well as a cultural EU member states will operate under a similar
evaluation to determine how the larger practice of framework, resulting in consistent requirements in
reporting fits into the organization’s values. On the every country. One area that the directive leaves up
other side, organizations with longstanding programs to the member states is what types of anonymous
are expressing concerns about changing systems they reporting are acceptable. How each member state
already see as effective. chooses to address this will be interesting to watch.
2. Changes to Australia’s Corporations Act, which took

effect July 1, 2019, are encouraging whistleblowing
by clearly defining who is eligible to submit and
receive reports. It is notable that junior managers
While whistleblower protections and Human Resources personnel have been removed
as eligible report recipients. The changes provide
are increasing in volume, they are
enhancements to identity and legal protections
also increasing in prescription. This for whistleblowers and enable internal reporters
velocity and prescriptiveness is to submit a report anonymously for the first time.
Corporations found to be causing detriment to,
forcing a form of soul searching for
or disclosing the identity of, a whistleblower face
whistleblower programs. penalties of up to $1 million. And, as of January 1,
2020, it will also be a finable offense to not have a
whistleblower policy in place.
30
3. The U.S. Department of Justice’s “Evaluation Beyond the headlines, however, a foundational paradigm
of Corporate Compliance Programs” guidance, shift is taking place – one that hinges on economic
initially released in 2017, was updated in 2019. The value. Consider the 100-page report, “Estimating the
new guidance states that prosecutors will look for Economic Benefits of Whistleblower Protection in Public
proactive measures to create workplace atmospheres Procurement,” that led to the EU whistleblower directive.
free of the fear of retaliation, along with appropriate The report states:
processes for submitting complaints and systems
“The quantitative findings clearly demonstrate the
to protect whistleblowers. A new Whistleblower
economic value of whistleblower protection. For all of
Protection Reform Act is also making its way through
the countries and scenarios considered, the potential
Congress. The bipartisan bill, which passed the
greatly exceeds the costs. The qualitative evidence
House of Representatives by a vote of 410 to 12 last
gathered from the countries sheds light on good
summer, would extend the rights and protections
practices and lessons learned for effective and efficient
guaranteed under the Dodd-Frank Act to internal
implementation. What remains for policymakers
whistleblowers. This legislation would effectively
is not to justify the economic case, but rather to
reverse the Supreme Court’s decision to limit such
determine how such systems can be effectively and
protections to those who report to the Securities and
efficiently designed to realise the full potential for
Exchange Commission.
citizens across the EU.” [emphasis added by author]
4. Beyond new laws and regulations, new global
whistleblowing guidance is also emerging. Set In the U.S., there are similar value statements
for release in 2021, ISO 37002 intends to provide surfacing from George Washington University in the
best practices for whistleblower systems built study, “Evidence on the Use and Efficacy of Internal
around trust, impartiality and protection. “Its aim Whistleblowing Systems.” These findings show that:
is to provide guidance on how a whistleblowing
management system can help you to become, “Internal whistleblower report volume is associated
and be seen as, a responsive organization,” said with fewer and lower amounts of government
Wim Vandekerckhove, chairman of the ISO 37002 fines and material lawsuits, which is consistent with
committee. reports being a resource that deters inappropriate
behavior and helps management identify and address
What’s Behind the Changes in concerns before they become more costly to the firm.
Whistleblowing Protections All of this might be shifting the perspective on
whistleblowing.” [emphasis added by author]
As we speculate on future implications of increasing
whistleblower regulations, it’s important to understand
Most of the recent regulatory changes can be traced
what is behind the changes in the first place.
back to value – the value that economies, companies and
shareholders have lost as a result of the various scandals.
The most forceful impetus has been a fall from grace
And this is not the first time we have seen a flurry of new
experienced by many politicians, celebrities, high-
regulations after a series of high profile economic and
profile executives, and some of the world’s largest
ethical failures.
companies, all spurred by an initial whistleblower report.
And in many of these cases, the reporter experienced
Going into the new decade, the evolution of
career-threatening retaliation. As a result of these
whistleblower protections will be driven by protecting
continuing issues, there is now an overall lack of trust in
and enhancing value. Here, organizations rather than
organizations and a public demand for more transparency
regulations will ultimately drive internal whistleblower
in organizational processes.
programs, not simply to prevent value loss but to
enhance value generated. As we have seen time and
31
time again, program best practices are often first To fully capitalize on this business value of employee
implemented through self-regulation, then codified reporting, organizations must get full commitment from
and enforced by regulators, and then evolved beyond management on the criticality of internal reporters, while
check-the-box processes to achieve true business value. also ensuring the reporting systems in place are best in
The ultimate objective is that internal reports are raised, class. That is where extended value is created.
problems are identified, and issues, faulty systems,
and inefficient processes are addressed to optimize 2. Go Beyond a Focus on Individual Reports
operations and eliminate potentially damaging litigation
The micro benefit of effective internal reporting systems
and media exposure.
is the ability to identify, address and resolve individual
issues before they turn into corporate crises or a financial
Steps for Organizations to Take and reputational damaging event. The macro benefit
is the ability to holistically identify issue patterns and
There are two key steps our organizations should take if
predict where failure points could occur. This comes
we are to truly achieve value from these efforts.
with fully understanding how to interpret our aggregate
1. Avoid Falling Into a Prescriptive, hotline data along with other sources of information such
Check-the-Box Approach as surveys, risk assessments, exit interviews, and other
data points that could catch a brewing problem early.
While the broadening regulatory support for
With this approach, we can identify enterprise-wide
whistleblowing brings much needed credibility to
cultural trends and isolate hot spots within regions, teams
internal reporting processes, it is also applying additional
or hierarchies.
prescription to internal processes. If we learned anything
from the regulations of the past, it is that the more
To uncover these big-picture trends, we must retrain
prescriptive they are, the more organizations will strive
ourselves on how to analyze and interpret our hotline
to check the regulatory box rather than truly implement
data. We are not just trying to substantiate a case; we are
changes necessary to achieve the desired outcome. It is
trying to substantiate a culture.
essential to take steps to create a defensible reporting
system, but organizations should not stop there. They
As “whistleblowing” continues to be front and center
must understand their unique workplace culture to
in our collective minds, compliance officers should
ensure that their program doesn’t just exist but is actually
capitalize on the opportunity to reinforce their
used by employees.
organization’s commitment to speaking up. This will help
ensure the value employee reporters create will stay
within the organization.
About the Author
Carrie Penman, Chief Risk & Compliance Officer, NAVEX Global

As one of the earliest ethics officers in the industry, Carrie Penman has been with
NAVEX Global since 2003 after serving four years as deputy director of the Ethics and
Compliance Officer Association (ECOA) now ECI. A scientist by training, she developed
and directed the first corporate-wide global ethics program at Westinghouse Electric
Corporation from 1994-1999. As Chief Risk and Compliance Officer for NAVEX Global,
Carrie leads the company’s formal risk management processes. She also oversees its
internal ethics and compliance activities employing many of the best practices that
NAVEX Global recommends to its customers.
32
9. Finding Your Footing in a
Sea of Regulations & Guidance
By: Kristy Grant-Hart election brought in a slate of new laws relating to sexual
Author & CEO, Spark Compliance Consulting harassment training and policies, and we may see that
trend expand on a state-by-state basis by the end of
The compliance officer woke up in a cold sweat. In his 2020.
nightmare, once again the regulator had spoken. Only
this time, it was a marauding hoard of regulators spouting On the international front, prosecutions under the GDPR
guidance, regulations and legislation. The acronyms will likely produce significant guidance by the Article
came thick and fast – OFAC, ABAC, UKBA, FCPA, DOJ, 29 Working Party, European Data Protection Board,
SEC, MSA… As he tried to calm himself, he realized this and individual countries’ Data Protection Authorities.
wasn’t just a dream. It was real. Guidance for newer anti-bribery laws like the Brazilian
Clean Companies Act and France’s Sapin II may very likely
Welcome to 2020. There was a time when compliance come out in 2020. And the UK’s Ministry of Justice may
officers clamored for more specific regulations and issue additional guidance on the UK Bribery Act based on
guidance. During the past several years, however, what the recent deferred prosecution agreements (especially
used to be a dearth of specific enumerated expectations when it comes to what an adequate procedures defense
has become a sea of guidance that can be hard to track, looks like). Lastly, if Brexit is accomplished, expect
much less interpret and implement into your program. tremendous amounts of guidance on how businesses are
to deal with the new legal landscape between the EU and
Recently, we’ve seen OFAC publish its Framework Britain.
for OFAC Compliance Commitments, the DOJ’s new
Evaluation of Antitrust Compliance Programs guidance, What’s a compliance officer to do? Try out the following
and regulations and amendments to the California to find your sea legs.
Consumer Privacy Act. We’ve also seen numerous
publications of guidance from the European Data
Protection Board interpreting pieces of the General
Data Protection Regulation, and of course, the DOJ’s
Perform the Two-Step Application Review
Evaluation of Corporate Compliance Programs guidance.
And this only scratches the surface. The noise can make it difficult to figure out what actually
needs your attention. There are two different analyses
With all of the major pronouncements in 2019 by to complete to find out if the guidance really applies to
U.S. authorities, 2020 may be a slow year for national you. First determine what is in your remit? Compliance’s
guidance. Stateside, the CCPA isn’t finished yet, so areas of expertise need to be enumerated specifically so
expect more guidance on this law. Be aware of the you know what you need to track. If compliance’s remit is
potential for new laws that may come into force with the antitrust, bribery, data privacy, and trade sanctions, then
next national election in November. The 2018 national it isn’t your responsibility to track what is happening with
34
the UK Modern Slavery Act. Make sure you know what is
in your remit so you can become an expert in those areas,
while ignoring the rest.
The second analysis is which regulations and guidance

apply to your company? Look carefully at the business. If
privacy is in your remit, do you serve California residents
and meet the other criteria such that you’re caught by the
California Consumer Privacy Act (CCPA)? Is your business
solely outside the U.S., so the DOJ’s guidance has little
bearing on your day-to-day work? Prioritize that which
directly applies to you in the compliance department and
your company. Once you’ve done that…
Open Up Your Risk Assessment

Prosecutors have (slowly) recognized that boiling the
ocean is not a realistic expectation for companies.
The near-universal endorsement of using a risk-based
approach should make the compliance world smile.
The DOJ’s recent Evaluation of Corporate Compliance
Programs was explicit about this point. It said that a risk-
based approach to the program is expected, “even if [the
program] fails to prevent an infraction in a low-risk area.”
One can’t apply a risk-based approach unless one has

reviewed the risks. Assuming you have a written risk
assessment, pull it out and review the various risks facing
your company. Use the risk assessment to inform where
to you focus your energy. It can be overwhelming to look
at all of the guidance at once. Instead of spending time
glancing through every piece of advice, save yourself
the stomachache by performing a deeper dive into one
piece of guidance. Review your risks, compare them to
the guidance, and create a plan to update your program
appropriately.
Let Someone Else Do the Work for You

You don’t have to read every piece of legislation or
guidance. Law firms and consultants are happy to do
that for you, and to provide you with updates, checklists,
and webinars highlighting the important elements of the
new guidance or legislation. You may even be able to
35
get a free session or continuing education course at your required for every area of your program. This includes
company if you ask nicely. Instead of putting the burden trade sanctions, import/export, bribery, anti-money
on yourself to learn everything new, use the synopses and laundering, privacy, competition/antitrust, etc. Looking
tools provided by the legal and consulting world to help at the guidance holistically can help in planning your next
you discern what matters. moves.
Find the Synergies Find the Low-Hanging Fruit

When it comes down to it, the world’s regulators have Within every piece of guidance or new regulation, there
more or less agreed on what makes a good compliance is probably low-hanging fruit for your program. For
program. Whether considering an adequate procedures instance, if CCPA applies, call your eLearning company
defense under the UK Bribery Act, or the seven elements and find out if they have a CCPA course that you can
of an effective compliance program under the U.S. use instead of developing your own PowerPoint training.
Federal Sentencing Guidelines, there are only so many Review and update your current trade sanctions policy
variations of what is considered important. These rather than build a new one for the OFAC guidance.
common elements include a code of conduct, policies, Think about updating your current metrics to show
procedures, training, risk assessment, monitoring and effectiveness rather than researching all possible metrics
auditing, good governance, due diligence, investigations, you could implement to meet the DOJ’s program
whistleblowing, and promoting an ethical culture. evaluation standards.
When looking at the guidance and regulations that apply By using these strategies, you can face the onslaught
to your program, look for synergies across the various of guidance with a plan. You can focus on what matters
guidance. For instance, completing a risk assessment and drown out the white noise. And that will have you
is an expectation/requirement under the Federal sleeping like a baby.
Sentencing Guidelines, DOJ Antitrust Guidance, OFAC
Guidance, ISO 19600 standard, and ISO 37001 standard.
Training on critical policies for those affected by risk is
About the Author
Kristy Grant-Hart, Author and CEO, Spark Compliance Consulting

Kristy Grant-Hart is an expert at transforming compliance departments into in-demand
business assets. She’s the author of the book “How to be a Wildly Effective Compliance
Officer” and CEO of Spark Compliance Consulting, a London and Los Angeles-based
consulting group. She is also an adjunct professor at Delaware Law School, Widener
University, teaching Global Compliance and Ethics. Before launching Spark Compliance,
Ms. Grant-Hart was the Chief Compliance Officer at United International Pictures, the joint
distribution company for Paramount Pictures and Universal Pictures in 65+ countries.
36
37
10. Hotlines, Headlines & Hearsay:
When “Whistleblowing” Is National News
By: Carrie Penman So, what impact will this have on our organizations and
Chief Risk & Compliance Officer, NAVEX Global our approach to managing internal reporting processes?
For years, ethics and compliance officers wished for The End to an Era of Suppressive Whistleblower
the day when our work was at the forefront of public
Culture … or the Beginning?
conversation — a day when people everywhere eagerly
There is no doubt that many potential whistleblowers are
discussed the importance of effectively preventing and
now thinking more carefully about if, when and how they
detecting misconduct and the importance of speaking up.
would report misconduct. They are more likely than ever
That day arrived in fall 2019, thanks to an anonymous to first focus on protecting their interests (career mobility,
whistleblower reporting about a phone call between personal reputation, financial assets). Some might decide
the U.S. White House and the president of the Ukraine. to report anonymously; others might go to the other
Compliance officers would be remiss not to understand extreme and take their concerns to the biggest public
the significance of this moment, and its potential platform they can find. Still, some won’t report at all, and
consequences for whistleblowing and internal reporting perhaps quietly leave the organization.
more broadly in the years to come.
The ongoing national conversation has pushed the
With long held industry principles, best practices, and issue to an inflection point that leaves us with an
codified legal protections in place for decades, we are open question: will we allow this heightened scrutiny
now surrounded by debates over: to put a further chill on internal reporting, or will we
capitalize on the opportunity to once and for all change
» The value of anonymous reporting and confidentiality the perception of whistleblowing and its value to
organizations?
» The appropriate approaches to investigations
We might start with the term “whistleblower” itself.
» Whether second-hand reporters should be permitted
For years, I have been vocal with my concerns that
to report
this negative label discourages individuals who are
» The protections afforded (or not) to whistleblowers to considering reporting potential wrongdoing. A neutral
prevent retaliation term like “reporter” more aptly captures the value of the
deed and empowers employees to rise to the obligation.
Most organizations with mature programs know this,
Setting aside politics, these highly visible debates
and refer to their programs in a more positive and
have surely made an impression on would-be internal
supportive way.
reporters, both in government and private organizations.
As a result, we should expect that speaking up – an
To address this potentially suppressive “whistleblower
already decidedly tumultuous experience – to cause even
culture,” organizations would be well served to consider
more angst for employees and would-be reporters.
and embed the business value of internal reporting
systems into an organization’s culture and business
38
practices. Over the past two years, studies by George The research found that claims in
Washington University (GWU) have unequivocally
secondhand reports are 47.7% more
demonstrated the business value of strong reporting
systems and cultures. Findings show that firms with likely than those of firsthand reports to
higher hotline usage experienced: be substantiated by management.
» 6.9% fewer material lawsuits
» 20.4% less in litigation costs over a three-year period

compared to similar companies with lower hotline use the table when employees do not speak up – internal
reporters could be viewed in an new way: as champions
» Up to a 2.8% increase in return on assets relative to
of the business who should be respected and offered
their peers
every opportunity to have their viewpoints heard.
» Lower regulatory fines by up to $8 million
As a result of the headlines and debates, employees
» Reduced negative news coverage by up to 46% everywhere are refining their perception of reporting that
will no doubt be deeply rooted and long lasting. Will that
perception be one of whistleblowing as a snitch or one of
What About Second-Hand Reports – “Hearsay”
employee reporting that is supported and valued? This
Finally, much of the headline-grabbing debate over the result will be determined by how organizations promote
White House report is related to the fact that the reporter and manage their reporting systems.
was relying on secondhand information, thereby calling
the credibility of the report into question. In response to
this, GWU conducted additional research comparing the
substantiation rates between firsthand and secondhand
1. Increase the Number of Reports
reports.
The research bulleted above shows that internal hotline
The research found that claims in secondhand reports reporting activity, and the performance results, are
are 47.7% more likely than those of firsthand reports to always positively correlated. Simply put, the more
be substantiated by management. The research also reporting activity, the better for the organization. The
found that reports based on secondhand information are reverse is also true: higher internal whistleblower activity
disproportionately reports of accounting and financial never correlates with negative business outcomes.
concerns and business integrity issues (i.e., illegal or With that as our baseline, we should be laser focused
unethical business practices such as conflicts of interest, on eliminating any technical, procedural or emotional
falsification of company records, bribery, etc.). Firsthand barriers to internal reporting.
reports were more likely to be Human Resources related
matters. These findings may be counterintuitive but 2. Value All Forms of Internal Reports
serve once again to remind all organizations that there
Anonymous, as well as secondhand reports, are often
is considerable business incentive to readily accept and
seen as frivolous or even malicious, but these occurrences
encourage all types of reports.
are actually low. And according to the Association of
Certified Fraud Examiners Global Study on Occupational
It Is Time to Replace Headlines, Hearsay & Fear of Fraud & Abuse, tips (i.e., whistleblower reports) are
“Whistleblowers” with a New Mindset responsible for 40% of fraud detection, with 14% of those
If organizations truly let all of these research findings tips having been reported anonymously. And as noted
sink in – to recognize the business value that is left on above, secondhand reports were far more likely to be
39
substantiated than firsthand reports. All reports should 5. Ensure Your Processes Are Resilient
be considered potentially valuable, or the most valuable
reports may never be considered at all. Organizations need to seal any cracks in their internal
reporting systems and remember the larger objective
3. Address Fear of Retaliation in doing so: making those systems more resilient to
management pressure, and therefore more trusted by
Fear of retaliation is one of the primary reasons why
would-be reporters.
employees do not report. Proactively addressing this
fear through awareness and training are critical – as is In fact, if there’s any one word that keeps coming to
disciplining retaliators. While fear of retaliation will never mind, it’s that: resilience.
be eliminated, it can be reduced, which could mean the
difference between getting “the big report” or not. Reporters must be resilient, but so must our
organizational processes. To be successful, we need to
4. Review Your Investigative Processes design reporting systems that are resilient to outside
influence and that can offset the inherent pressure on
It is always good practice to periodically review and
internal reporters to stay silent, recant or take their
test internal investigation processes to ensure they
concerns elsewhere. It’s our job to relieve that pressure,
are consistent, timely and fair. With all the various new
protect the reporter/whistleblower, and capture the
global regulations, it will also be important to ensure that
human and business value of employee reporting.
systems intended to protect confidentiality are working
properly.
About the Author
Carrie Penman, Chief Risk & Compliance Officer, NAVEX Global

As one of the earliest ethics officers in the industry, Carrie Penman has been with
NAVEX Global since 2003 after serving four years as deputy director of the Ethics and
Compliance Officer Association (ECOA) now ECI. A scientist by training, she developed
and directed the first corporate-wide global ethics program at Westinghouse Electric
Corporation from 1994-1999. As Chief Risk and Compliance Officer for NAVEX Global,
Carrie leads the company’s formal risk management processes. She also oversees its
internal ethics and compliance activities employing many of the best practices that
NAVEX Global recommends to its customers.
40
About this Resource
The issues, concerns and opportunities found in NAVEX Global’s annual Top 10 Risk & Compliance Trends are generated
by thought leaders who work in, report on, and develop solutions for the compliance industry. The eBook was compiled
by the editors and contributors of NAVEX Global’s blog, Ethics & Compliance Matters™, and each article was authored
by a current contributor to the blog. You can keep up with the evolution of these trends and others throughout the year
when you subscribe to the Ethics & Compliance Matters Blog.
Definitive Guide Series

Continue your work to build a robust and agile compliance program that keeps pace with an evolving industry with the
best practices found in our Ethics & Compliance Definitive Guide Series.
Definitive Guide to Incident Management

Learn everything you need to create an effective case management program – from planning to implementing to
measuring results - with our comprehensive guide.
Definitive Guide to Third Party Risk Management

Learn everything you need to know about effectively managing your third party risk – from defining a due diligence
process to creating risk-based strategy.
Definitive Guide to Ethics & Compliance Training

Find the tools and information you need to define and develop an engaging compliance training program, implement a
multiyear education plan, address your most pressing risks, and measure, evaluate and improve your compliance training
effectiveness.
Definitive Guide to Policy & Procedure Management

Learn how to effectively and efficiently manage your organization’s employee handbook, code of conduct and other
important documents. This guide gives organizations of all sizes insight on how to optimize policy and procedure
management with real-world examples, helpful tips, and research.
Definitive Guide to Compliance Program Assessment

Perform an effective compliance program assessment using industry evidence and insights to evaluate your efforts.
Ensure you can swiftly respond to new laws and regulations, lines of business, geographies and mergers and acquisitions
that add to a growing enterprise your compliance ecosystem must support.
Definitive Guide to Your Code of Conduct

Learn everything you need to transform your code of conduct from a document into a resource that employees can use to
engage with your organization’s goals and values.
41
NAVEX Global provides a comprehensive suite of risk
and compliance software, content and services that
help organizations protect their people, reputation
and bottom line. Trusted by more than 14,500 customers,
our solutions are informed by the largest ethics
and compliance community in the world.
For more information, visit www.navexglobal.com.
Americas EMEA + APAC
5500 Meadows Road, Suite 4th Floor, Vantage London
500 Lake Oswego, OR 97035 Great West Road
United States of America Brentford, TW8 9AG
info@navexglobal.com United Kingdom
www.navexglobal.com info@navexglobal.com
+1 (866) 297 0224 www.navexglobal.com/uk
+44 (0) 20 8939 1650
Copyright © 2020 NAVEX Global Inc. All Rights Reserved.

Top 10 Risk & Compliance Trends For 2020

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Top 10 Risk & Compliance Trends For 2020

Hochgeladen von

Copyright:

Verfügbare Formate

A NAVEX Global eBook

Top 10 Risk & Compliance

I. Managing the Impact of Politics in Our Organizations  3

II. Future-Casting Culture in M&A Due Diligence 7

III. Impact of Digitized Environments & Modern Workplaces on Internal Investigations  11

IV. We Need to Learn How to Train Humans, Not Employees  15

V. Sanctions Compliance in the Era of Financial Warfare  19

VI. R3: People Risk, Business Risk, & Regulatory Risk  23

VII. Data Privacy Is Not a Law, It’s a Lifestyle  27

VIII. Today Whistleblower Protections Driven by Legislation, Tomorrow by Value  30

IX. Finding Your Footing in a Sea of Regulations & Guidance  34

X. Hotlines, Headlines & Hearsay: When Whistleblowing Is National News 38

XI. About this Resource 41

By: Ed Petry But whatever the root cause, politics is creating

» Leverage the influence you have to make sure that

» Ensure leadership as well as public-facing

Ensure Political Self-Censorship Does Not

About the Author

Ed Petry, Senior Advisor, NAVEX Global

By: Fernanda Beraldi Deal Size Expectations by Industry

Despite global economic uncertainty, M&A activity is 61%

expected to accelerate in the years to come. According TMT 2%

believe M&A will be defined by higher dollar amounts 27%

and more diversity of targets. Technology acquisition has

While M&A outlooks are optimistic, there is a data point

Source: Deloitte: “The State of the Deal: M&A Trends 2019”

About the Author

Fernanda Beraldi, Senior Director, Ethics & Compliance, Cummins Inc.

By: Scott Moritz scale frauds in connection with pay-per-click advertising

To keep pace with the digitized workplace, investigators

Steps for Organizations to Take

Extend Your Subject Matter Expertise

Understand the Evolving Arc

Further adding to the challenge facing investigators

About the Author

Scott Moritz, Senior Managing Director, FTI Consulting

» Increase employee morale

Oftentimes organizations are caught off guard when

» Who has learning constraints based on education

About the Author

Ingrid Fredeen, Vice President, Online Learning Content, NAVEX Global

By: Michael Volkov The Future of OFAC Compliance

1. Get Senior Management Commitment

» Actively review and approve the organization’s SCP

» Designate a dedicated OFAC sanctions compliance

» Create effective internal systems for whistleblowers

» Severely and publicly punish violators to demonstrate

» Offer strong reporting mechanisms

2. Tailor Program to Risk Profile

About the Author

By: Sam Abadir Developing a federated but enterprise-wide perspective

Understand the Full Life Cycle of Risk

1. Define your organizational risk profile

2. Identify the inherent risks to your business, industry

3. Define and articulate your organizational risk

4. Design internal controls that operationalize that risk

6. Monitor controls to ensure they are in acceptable

About the Author

Sam Abadir, Director, IRM Industry Solutions, NAVEX Global

Steps for an Organization to Take

About the Author

During 2019, whistleblower protections around the Whistleblower Protection Developments

2. Changes to Australia’s Corporations Act, which took

I. Managing the Impact of Politics in Our Organizations 3

II. Future-Casting Culture in M&A Due Diligence 7

III. Impact of Digitized Environments & Modern Workplaces on Internal Investigations 11

IV. We Need to Learn How to Train Humans, Not Employees 15

V. Sanctions Compliance in the Era of Financial Warfare 19

VI. R3: People Risk, Business Risk, & Regulatory Risk 23

VII. Data Privacy Is Not a Law, It’s a Lifestyle 27

VIII. Today Whistleblower Protections Driven by Legislation, Tomorrow by Value 30

IX. Finding Your Footing in a Sea of Regulations & Guidance 34

X. Hotlines, Headlines & Hearsay: When Whistleblowing Is National News 38

XI. About this Resource 41