Beruflich Dokumente
Kultur Dokumente
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
Introduction
Every year as we prepare for this annual publication, we discuss how the social,
political and environmental landscapes our businesses operate within are growing
more and more complex. We explore the implications of new regulations, new
enforcement of old regulations, and the nuances of human behavior growing
more disparate in a strained cultural climate.
At first blush, this year is no different. We are entering a time of political elections, transitions and regimes rife with
controversy. We’ve experienced a firehose of regulatory activity across the globe, covering everything from sanctions
compliance and data privacy, to enhanced whistleblower protections. And we’re seeing a shift in the appetite for
advocacy and demand for justice from customers and employees alike.
But this is all more of the same for risk and compliance practitioners. We’ve always operated – and flourished – through
complexity. But something does feel different this year. It’s not the complexity itself but a shift in our perspective
and approach to that complexity. External pressures are still very real and comprise a number of our 2020 trends and
predictions; however, this year, many of our trends are a bit more introspective. Yes, we live in a hyper-regulated, hyper-
scrutinized, hyper-transparent world, but even with all these external pressures – and in part because of them – risk and
compliance professionals are looking inward at the programs and the risk management structures, roles and practices
designed to protect our organizations.
Over the past couple decades, we have taught ourselves to be defensive in our approaches to risk management. But no
matter how valiant those efforts are, a defensive strategy will always be a reactive one. And we are currently at a point in
our risk and regulatory development where we are not able to react to everything. We are now unlearning that defensive
nature and developing programs that are proactive.
Mature risk and compliance programs are taking a step back and thinking more holistically about their management
systems. We will never be able to prevent each and every risk, but we can create risk resilient systems. Resilient systems
align efforts across strategic, operational, IT, and compliance risk management capabilities. They manage risk, as well
as prepare for the inevitable risk failure. Resilient systems ensure business continuity, demonstrate overall program
effectiveness, and communicate to employees that risk and compliance is a business priority.
The risk and compliance landscape will always be defined by complexity. We’ve accepted that. We are now moving
on from deconstructing each and every risk and moving toward thinking more holistically about integrating our
strategies to simplify risk management.
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
1. Managing the Impact of Politics
in Our Organizations
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
The power of “call-out” or “cancel culture” is real. Call-
out or cancel culture is a form of public shaming where
individuals or companies are vilified for real or perceived
moral or political offenses. A litany of companies have
recently faced boycotts by consumers or walkouts by
their own employees. What can we do to minimize the
risk of being the next victim of organized outrage?
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
Academics have studied why employees self-censor, and » Evaluate whether surveys and other means of
their findings are important to us because there may be assessing employee engagement are sufficient.
a connection between political self-censorship and the Are they able to indicate if self-censorship and
erosion of an organization’s speak up culture. disengagement are problems at your organization?
It’s hard to tell since the effected employees have
» Create a clear distinction between holding one’s “gone underground” and don’t wish to speak up. If
political tongue and raising one’s voice. When we are not aware of the scope of the problem and
employees believe they cannot voice their opinion or the depth of employee alienation, we may unwittingly
believe their views are not welcome, they may self- have an overly optimistic picture of our organizational
censor and withdraw from discussion. As ethics and culture and be missing an entire employee
compliance professionals, we need to ask whether population that is quietly frustrated or worse.
employees who self-censor from political debates
will also disengage from speaking up in general. Managing the impact of politics on our organizations is
When our leaders speak out on controversial issues, nothing new; however, that impact is growing larger and
they may be cheered on by some, but are we fully more divisive. It is essential for ethics and compliance
aware of the unspoken reaction by others and the officers to be tuned into their colleagues and public
cost? The risk may be exacerbated when leaders sentiment to prevent a damaging political brand event
tie their political opinions to the company’s values. and be prepared to remediate the downstream effects of
If an employee disagrees with the leader’s political such a failure.
views, they now run the risk of being perceived as
disagreeing with their employer’s values.
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
2. Future-Casting Culture
in M&A Due Diligence
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
Using Cultural Insights to As M&A due diligence continues to
Maximize M&A Deal Success
mature, I believe we will begin to
At its base, M&A due diligence is an exercise in close the gap of cultural alignment
determining valuation and actualizing liability. Risk and and assessment. Here practices will
compliance professionals often focus on the latter, but
evolve to accurately assess a target’s
can also play a part in future valuation and deal success
when the right intelligence is uncovered. corporate culture today and, more
importantly, tomorrow.
Most M&A due diligence processes perform a thorough
evaluation of the compliance program, its policies and
procedures, its code of conduct, and its ethics and
compliance training curriculum. Just as in an external
substantiated. While those reports, cases and resolutions
audit of your own internal compliance programs, no
are important, I also want insight into the 58% of reports
stone should be left unturned – no program outcome
that were not substantiated. Who made them? What part
left unreviewed. This process generally results in a
of the organization did they come from? Why were they
narrative for liability to be weighed against risk tolerance;
unsubstantiated?
however, as deal success rates indicate, there is room for
improvement.
This is where we get into the future-casting state of
due diligence. The facts we could derive from process
As M&A due diligence continues to mature, I believe
review and the substantiated facts we could see from
we will begin to close the gap of cultural alignment and
aggregate incident management records may help
assessment. Here, practices will evolve to accurately
determine the target’s corporate culture and risk at
assess a target’s corporate culture today and, more
time of purchase. Corporate culture, however, can also
importantly, tomorrow.
inform future risk. One could get a hint at that culture
through substantiated case files, but it is a curated view
Steps for Organizations to Take of the culture prepared by the target. That is not to say
there is anything suspicious about that curation, but it
Go Beyond Substantiated Reports to will always be an interpretation. And I am positive that
Find Unfiltered Information Streams compliance officers out there prefer to make their own
Corporate culture is hard enough to evaluate in our own interpretations.
organizations, let alone trying to assess the culture of an
entirely different company. This is where organizations Better Define Cultural Valuation
can turn to aggregate, unfiltered internal hotline Based on Speak-Up Track Record
reporting data for a complementary stream of due
Use aggregate hotline data to get a better understanding
diligence intelligence. And I’ll emphasize “aggregate”
of what a speak-up culture is like at a target. Do
and “unfiltered.” Internal whistleblower hotline and
employees feel empowered to report misconduct? Are
incident management data is likely already part of
they properly trained on values and expectations for
most M&A due diligence processes, but this is usually
the corporation? Does the company really know what
relegated to substantiated case reports.
risk looks like, and is the culture equipped to support
enterprise-wide hygiene? Or is their potential cynicism or
According to NAVEX Global’s 2019 Ethics & Compliance
distrust brewing beneath the surface?
Hotline Benchmark Report, 42% of internal reports were
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
Aside from the cultural intelligence that aggregate liability embedded within the corporate culture they are
hotline data provides, the volume of reports can be integrating.
just as informative. Recent research out of George
Washington School of Business provides empirical M&A activity shows no signs of slowing in 2020 or in the
evidence that internal hotline reporting activity and years to come. To keep pace confidently, organizations
business performance are positively correlated. While will have to prioritize cultural alignment and assessment
the long list of performance indicators included in the and explore new ways to do that effectively. Internal
research is impressive, I am most intrigued by the finding whistleblower hotline data is surfacing as one of the most
that, “firms that actively utilized their hotlines received, elucidating information streams we have at our disposal
on average, 46% fewer negative news stories than when assessing and cultivating our own corporate
businesses with low or infrequent internal reporting use.” cultures. Now that we are seeing the predicative benefits
of that data, there is no reason compliance should not be
The last thing one would want during a post-acquisition incorporating it as a standard part of M&A processes, in
phase is a reputation-damaging news cycle, so the addition to just “digging” at substantiated reports.
first thing a compliance officer should be looking at is
whether they can have a clear-eyed view of the future
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
3. Impact of Digitized Environments &
Modern Workplaces on Internal Investigations
11
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
The rules of evidence and investigative processes
have not changed much over the last 100 years. And
investigators must still gather information from whatever
sources are available. What has changed though is the
need to understand the type of information that is being
created and stored, how the evidence within those data
stores must be preserved, acquired and analyzed, and
the team and skillsets that will be needed to bring the
investigation to a successful conclusion.
12
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
an understanding of the allegations at hand, an initial Investigators used to think nothing of forensically
picture emerges as to what information must be gathered imaging hard drives or acquiring email in one country
and analyzed. Investigative steps should then be taken and bringing it back home to another for analysis. More
to determine whether the allegations have merit and to recently, the default approach is for data to never leave
gather the evidence needed. that country and instead for it to be analyzed locally
to avoid potentially violating one or more privacy laws.
Complex investigations with large volumes of Every investigative plan must consider the data privacy
information, perhaps multiple allegations and conduct implications of the investigation at inception.
that span multiple geographies, oftentimes suggest
the need to assemble an investigative team made up of Investigations are inherently learning experiences.
multiple skillsets and disciplines. This multi-disciplined Investigative processes are about ingesting and analyzing
approach to investigations has never been more information at an accelerated rate. The same is true
important given the widespread use of new technologies. about digitization. Bringing these two processes into
harmony is not as difficult as it may seem. It starts with
Navigate the Delicate Landscape of Privacy Law knowing what you don’t know.
13
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
4. We Need to Learn How to
Train Humans, Not Employees
By: Ingrid Fredeen that presents employers with a new challenge and
VP Online Learning Content, NAVEX Global opportunity. However, the learning curve is steep and
the deadline to acquire these skills is yesterday.
This article could very well have been about the
evolution of #MeToo, or the latest corporate walkout/ According to respondents in NAVEX Global’s 2019
sit-down/boycott, or how cancel culture is leaving no Definitive Corporate Compliance Benchmark Report,
company, brand or person safe from being “cancelled.” training, communications and awareness programs are
As someone whose profession requires a keen the vehicles through which we help organizations connect
understanding of behavioral sciences, I have an endless with purposeful and passionate employees. In the report,
supply of social and organizational trends I could identify training is indicated to:
and deconstruct. However, the most expansive trend I am
seeing is not in human behavior – but in humans. » Improve trust in leadership
15
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
People are already motivated to raise Train the Human, Not the Employee
their voices. With the proper channels People are coming into their roles with more emotional,
political, and social affinities than ever before. A
for communication and encouragement
60-minute training course will never counterbalance the
for reporting, organizations can drive human inertia in the workplace when people bring their
people to speak up internally rather full selves to work. We need to go beneath the surface,
go beyond checking the box, and actually design training
than speak out externally.
curriculums that effectively map to our cultures. For
every training and awareness activity, ask yourself – have
I made this relevant to an employee? Does the content
connect with them more deeply than just on a purely risk
or legal level? Will my employees better understand why
of materials from a third party they dislike. With the help our organization approaches this area of risk in a certain
of social media and a growing penchant for advocacy, way and how it ties back to our organization’s values?
employees now have the ability to force an organization The key is to start thinking about learners as not just
to change or explain their actions and be prepared to employees but rather as human beings with interest and
deal with the consequences of those decisions. passions outside of the workplace.
16
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
Consider these questions: » Will this course help build trust in our organization
and its leaders that we are serious about getting
» Who has computers? Who works at a desk? this right?
Who works primarily away from a desk?
» Is the course more than a recitation of legal principles
» Who has high exposure to specific risks? – is it relevant and meaningful?
17
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
5. Sanctions Compliance in the
Era of Financial Warfare
19
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
Steps for Organizations to Take
You don’t need to go far to determine the steps
organizations must take to align with new sanctions
compliance expectations. OFAC provides a five-part
prescription.
20
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
3. Evaluate Internal Controls & Calibrate Solutions 5. Train Appropriate Personnel
Once an organization has completed its initial risk Finally, the OFAC guidance requires firms to implement
assessment and profile, it must adequately address the training programs for all appropriate employees and
results through policies and procedures that clearly and personnel. While training has traditionally been part of
effectively identify, interdict, escalate, record and report SCPs, what is noticeably different here is the frequency.
prohibited activities. Here, OFAC specifically states OFAC now requires training to be provided annually at a
its expectation that organizations utilize “information minimum. Further, training should be tailored to both the
technology solutions” to manage this complex task. entity’s risk profile and each employee’s individual role.
However, the adoption of a technology solution alone is Training should also be extended to the organization’s
not enough. The guidance stipulates that organizations external stakeholders, including clients, suppliers and
must select and calibrate solutions “in a manner that is business partners.
appropriate to address the organization’s risk profile and
compliance needs.” These sweeping new responsibilities and obligations for
entities with partners, clients, suppliers, distributors or
customers overseas are not spurious. They are the direct
4. Test & Audit
and considered consequence of long-term U.S. foreign
Of course, an organization’s risk profile is not static,
policy, and they are likely to expand rather than recede
nor do internal controls or technology solutions come
with time.
perfectly calibrated. Effective SCPs are audited and
tested regularly to check for weaknesses and deficiencies. While the challenges posed by the new OFAC guidance
OFAC expects SCP elements to be routinely recalibrated may seem daunting, firms can and should use this
to account for changing risks. Such testing functions moment as an opportunity to imbue their compliance
should be comprehensive, objective, independent and functions with the authority, autonomy, resources and
accountable to senior management. When test results technology that regulators now expect of them. We
are negative, corrective action should be immediate and are entering a year of change in the sanctions world
effective. It should also address the “root causes” of as successful businesses and compliance programs
failures, rather than focusing on their symptoms. anticipate these shifts in the compliance landscape and
adapt accordingly.
Michael Volkov, CEO and Owner The Volkov Law Group, LLC
Michael Volkov, CEO and owner of The Volkov Law Group, LLC, has over 30 years of
experience in practicing law. A former federal prosecutor and veteran white collar defense
attorney, he has expertise in areas of compliance, internal investigations and enforcement
matters. Mr. Volkov spent 17 years as a federal prosecutor in the U.S. Attorney’s Office for the
District of Columbia. As an Assistant U.S. Attorney, he had over 75 jury trials and extensive
federal court experience. He also served on the Senate and House Judiciary Committees
as the chief crime and terrorism counsel for the respective committees. In addition, Mr.
Volkov served as a deputy assistant attorney general in the Office of Legislative Affairs of
the U.S. Department of Justice (DOJ) and as a trial attorney in the DOJ’s Antitrust Division.
Michael Volkov maintains a highly popular FCPA blog, Corruption, Crime & Compliance. He
is a regular speaker at events around the globe, and is frequently cited in the media for his
knowledge on criminal issues, enforcement matters, compliance and corporate governance.
21
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
6. Risk 3: People Risk, Business Risk,
& Regulatory Risk
23
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
year-over-year growth expectations. The end goal for
every organization should be a single architecture for risk
management. This ensures that the individual strategies
deployed across separate business functions inform and
respond to enterprise needs.
Understand Your Organization’s Risk Composition 7. Prepare for the potential failure with remediation
While every organization has people, regulatory and strategies and resiliency plans that manage
business risk, how those risks compose the whole will downstream events strategies that manage
be unique to your organization. Financial institutions downstream consequences
may prioritize regulatory risk and manage people and
business risk around that. Manufactures may start Monitor Consistently & Continuously
with their business risk and ensure operations align Once the life cycle is defined and operationalized, we
with regulatory requirements and employee relations. can then take a risk-based approach to monitoring
Retail organizations with large salesforces may lean our risk. An example of this is in our third party due
heavily into people risk while ensuring their third-party diligence and screening practices. These same risk-
suppliers do not jeopardize their business risk. And every based, continuous monitoring efforts should be reflected
organization must manage strategic risk that comes with in our internal tools, processes and assessments. While
24
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
vendor risk management may track different factors, our of data privacy and security. For instance, your data
internal efforts should mimic its risk-based cadence for privacy officer is probably a lawyer. While they can inform
monitoring our leading risk indicators. Internally, this each team of what the law says, they need privacy-
will often include monitoring things like sales figures, minded counterparts in each team who can translate
marketing performance, digital risk, API integrations, or what CCPA or GDPR alignment looks like in practice for
travel bookings among others. For this, we need a risk engineering, customer service, accounting, information
architecture that identifies risk and is responsive enough security and IT, etc.
to identify when those risks change.
Our technology solutions need to be holistic as well. Risk
management software is essential to automate processes
Increase Transparency
and programs, and solutions themselves cannot be
Risk management, once a unique responsibility within
siloed. Individual solutions that do not speak to one
individual departments, needs to be elevated from its
another or ultimately track into an enterprise-wide system
siloed roots. Unfortunately, there will most likely always
can unintentionally automate risk for other departments.
be siloes – that is the business reality we live in. The
A flexible platform solution, or at least an integrated risk
goal, however, is to create systems that force those
management approach, that supports actionable, risk-
siloes to identify the relevant information that needs to
based management in an auditable manner will ensure
be communicated across, and integrated into, global
that transparency is embedded into the solutions we
operations. This will create a common risk vocabulary
deploy to manage our risks.
and increase transparency so that siloes do not create
confusion and volumes of extra spreadsheet work that When you think about risk holistically, you broaden your
increase administration and decrease accuracy. perspective on the full breadth of the risk ecosystem your
business operates in. This creates more visibility into the
This requires departmental personnel to physically
complexity. While we will never be able to reduce the
(or virtually) get up from their seats and build working
complexity of the risk landscapes our businesses operate
relationships with their counterparts in adjacent
within, we are able to simplify the approaches we take to
departments. This again can be seen clearly in the role
effectively manage that risk.
25
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
7. Data Privacy Is Not a Law, It’s a Lifestyle
By: Jess Wilburn 40% of countries do not, though most likely will soon. In
Data Privacy Officer & Senior Counsel, the United States, no federal standard is likely to emerge
CIPP/US, CIPP/E, NAVEX Global in the near future, meaning individual state-level laws
will continue to proliferate. Outside of new laws, the
The words “hodgepodge” and “patchwork” are overused application of existing data privacy law will continue to
in the world of risk and compliance, but they’re certainly evolve with each enforcement action. For instance, an
appropriate for describing the myriad data privacy early 2019 enforcement action against Google taught
regulations popping up around the world. us that transparency and specificity are required to
obtain “informed consent” from consumers. This forced
In 2018, the world of data privacy was shaken by the companies to take a look at how their own privacy
enforcement of the EU’s General Data Protection statements and policies meet standards.
Regulation (GDPR). In 2019, a subset of the world braced
itself again for the California Consumer Privacy Act While GDPR compliance is a continuous journey that
(CCPA). Together, these two regulations fueled most of isn’t ending anytime soon, the most significant changes
the headlines for companies and consumers alike, and we will see will likely come from ripple effects from
for good reason. They are expansive and prescriptive. the recently launched CCPA. Under CCPA, California
However, the reality is they comprise only a small fraction consumers may request:
of global data privacy legislation.
» What personal information is being collected and why
As we enter the early 2020s, there will be more than 100
» For personal information to be deleted
countries with data privacy legislation in place. Along
with the international sprawl of privacy law, in the United » To obtain information about onward disclosures and
States there are a number of similar-but-different state the “selling” of their personal information
laws in the offing. All of this means that organizations
managing data and operating across borders must be » The categories of third parties with whom their data
exceedingly vigilant in how they navigate the wide array is shared, or from whom it was acquired
of data privacy regulations.
In many ways CCPA is more of the same from GDPR, with
In Data Privacy Law, Change Is the Only Constant additional specificity around the methods provided to
consumers for requesting their data. Here organizations
In 2020, “change” will define our existence as
in scope will need to provide consumers with “at a
organizations operating in a world of heightened
minimum, a toll-free telephone number, and if the
appreciation for an individual’s personally identifiable
business maintains an Internet Web site, a Web site
information (PII).
address.” We can expect to see echoed requirements
at a state and global level over the next couple years
While more than 100 countries currently have data
and beyond.
privacy legislation in place, that also means more than
27
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
This state of constant change will create an environment Whether formally or informally, the data ambassadors
where organizations will not only have to continually you’ve identified throughout the organization and those
define and refine data privacy processes and procedures, specifically hired for privacy should come together to
but also define and refine organizational structures that create a privacy committee. This committee should meet
process data, skillsets of individuals who manage data, regularly, discuss internal and external evolutions, and be
and the relationship the company has with PII. change agents who embed better data privacy across the
organization.
Jess Wilburn, Data Privacy Officer & Senior Counsel, CIPP/US, CIPP/E
As Data Privacy Officer & Senior Counsel, Jessica leads data privacy for NAVEX Global,
advising on compliance across all aspects of global privacy law and regulations. She has been
with the organization for over four years, initially focusing on the negotiation of Software-as-
a-Service (SaaS) agreements and data transfer and processing agreements. Jessica spent the
majority of 2017 in our London office, working with individuals from around the globe on the
impact of global data privacy laws.
28
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
8. Today Whistleblower Protections Driven
by Legislation, Tomorrow by Value
By: Carrie Penman In either case, the effects will be profound. Let’s review
Chief Risk & Compliance Officer, NAVEX Global some of the recent developments to understand why.
30
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
3. The U.S. Department of Justice’s “Evaluation Beyond the headlines, however, a foundational paradigm
of Corporate Compliance Programs” guidance, shift is taking place – one that hinges on economic
initially released in 2017, was updated in 2019. The value. Consider the 100-page report, “Estimating the
new guidance states that prosecutors will look for Economic Benefits of Whistleblower Protection in Public
proactive measures to create workplace atmospheres Procurement,” that led to the EU whistleblower directive.
free of the fear of retaliation, along with appropriate The report states:
processes for submitting complaints and systems
“The quantitative findings clearly demonstrate the
to protect whistleblowers. A new Whistleblower
economic value of whistleblower protection. For all of
Protection Reform Act is also making its way through
the countries and scenarios considered, the potential
Congress. The bipartisan bill, which passed the
greatly exceeds the costs. The qualitative evidence
House of Representatives by a vote of 410 to 12 last
gathered from the countries sheds light on good
summer, would extend the rights and protections
practices and lessons learned for effective and efficient
guaranteed under the Dodd-Frank Act to internal
implementation. What remains for policymakers
whistleblowers. This legislation would effectively
is not to justify the economic case, but rather to
reverse the Supreme Court’s decision to limit such
determine how such systems can be effectively and
protections to those who report to the Securities and
efficiently designed to realise the full potential for
Exchange Commission.
citizens across the EU.” [emphasis added by author]
4. Beyond new laws and regulations, new global
whistleblowing guidance is also emerging. Set In the U.S., there are similar value statements
for release in 2021, ISO 37002 intends to provide surfacing from George Washington University in the
best practices for whistleblower systems built study, “Evidence on the Use and Efficacy of Internal
around trust, impartiality and protection. “Its aim Whistleblowing Systems.” These findings show that:
is to provide guidance on how a whistleblowing
management system can help you to become, “Internal whistleblower report volume is associated
and be seen as, a responsive organization,” said with fewer and lower amounts of government
Wim Vandekerckhove, chairman of the ISO 37002 fines and material lawsuits, which is consistent with
committee. reports being a resource that deters inappropriate
behavior and helps management identify and address
What’s Behind the Changes in concerns before they become more costly to the firm.
Whistleblowing Protections All of this might be shifting the perspective on
whistleblowing.” [emphasis added by author]
As we speculate on future implications of increasing
whistleblower regulations, it’s important to understand
Most of the recent regulatory changes can be traced
what is behind the changes in the first place.
back to value – the value that economies, companies and
shareholders have lost as a result of the various scandals.
The most forceful impetus has been a fall from grace
And this is not the first time we have seen a flurry of new
experienced by many politicians, celebrities, high-
regulations after a series of high profile economic and
profile executives, and some of the world’s largest
ethical failures.
companies, all spurred by an initial whistleblower report.
And in many of these cases, the reporter experienced
Going into the new decade, the evolution of
career-threatening retaliation. As a result of these
whistleblower protections will be driven by protecting
continuing issues, there is now an overall lack of trust in
and enhancing value. Here, organizations rather than
organizations and a public demand for more transparency
regulations will ultimately drive internal whistleblower
in organizational processes.
programs, not simply to prevent value loss but to
enhance value generated. As we have seen time and
31
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
time again, program best practices are often first To fully capitalize on this business value of employee
implemented through self-regulation, then codified reporting, organizations must get full commitment from
and enforced by regulators, and then evolved beyond management on the criticality of internal reporters, while
check-the-box processes to achieve true business value. also ensuring the reporting systems in place are best in
The ultimate objective is that internal reports are raised, class. That is where extended value is created.
problems are identified, and issues, faulty systems,
and inefficient processes are addressed to optimize 2. Go Beyond a Focus on Individual Reports
operations and eliminate potentially damaging litigation
The micro benefit of effective internal reporting systems
and media exposure.
is the ability to identify, address and resolve individual
issues before they turn into corporate crises or a financial
Steps for Organizations to Take and reputational damaging event. The macro benefit
is the ability to holistically identify issue patterns and
There are two key steps our organizations should take if
predict where failure points could occur. This comes
we are to truly achieve value from these efforts.
with fully understanding how to interpret our aggregate
1. Avoid Falling Into a Prescriptive, hotline data along with other sources of information such
Check-the-Box Approach as surveys, risk assessments, exit interviews, and other
data points that could catch a brewing problem early.
While the broadening regulatory support for
With this approach, we can identify enterprise-wide
whistleblowing brings much needed credibility to
cultural trends and isolate hot spots within regions, teams
internal reporting processes, it is also applying additional
or hierarchies.
prescription to internal processes. If we learned anything
from the regulations of the past, it is that the more
To uncover these big-picture trends, we must retrain
prescriptive they are, the more organizations will strive
ourselves on how to analyze and interpret our hotline
to check the regulatory box rather than truly implement
data. We are not just trying to substantiate a case; we are
changes necessary to achieve the desired outcome. It is
trying to substantiate a culture.
essential to take steps to create a defensible reporting
system, but organizations should not stop there. They
As “whistleblowing” continues to be front and center
must understand their unique workplace culture to
in our collective minds, compliance officers should
ensure that their program doesn’t just exist but is actually
capitalize on the opportunity to reinforce their
used by employees.
organization’s commitment to speaking up. This will help
ensure the value employee reporters create will stay
within the organization.
32
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
9. Finding Your Footing in a
Sea of Regulations & Guidance
By: Kristy Grant-Hart election brought in a slate of new laws relating to sexual
Author & CEO, Spark Compliance Consulting harassment training and policies, and we may see that
trend expand on a state-by-state basis by the end of
The compliance officer woke up in a cold sweat. In his 2020.
nightmare, once again the regulator had spoken. Only
this time, it was a marauding hoard of regulators spouting On the international front, prosecutions under the GDPR
guidance, regulations and legislation. The acronyms will likely produce significant guidance by the Article
came thick and fast – OFAC, ABAC, UKBA, FCPA, DOJ, 29 Working Party, European Data Protection Board,
SEC, MSA… As he tried to calm himself, he realized this and individual countries’ Data Protection Authorities.
wasn’t just a dream. It was real. Guidance for newer anti-bribery laws like the Brazilian
Clean Companies Act and France’s Sapin II may very likely
Welcome to 2020. There was a time when compliance come out in 2020. And the UK’s Ministry of Justice may
officers clamored for more specific regulations and issue additional guidance on the UK Bribery Act based on
guidance. During the past several years, however, what the recent deferred prosecution agreements (especially
used to be a dearth of specific enumerated expectations when it comes to what an adequate procedures defense
has become a sea of guidance that can be hard to track, looks like). Lastly, if Brexit is accomplished, expect
much less interpret and implement into your program. tremendous amounts of guidance on how businesses are
to deal with the new legal landscape between the EU and
Recently, we’ve seen OFAC publish its Framework Britain.
for OFAC Compliance Commitments, the DOJ’s new
Evaluation of Antitrust Compliance Programs guidance, What’s a compliance officer to do? Try out the following
and regulations and amendments to the California to find your sea legs.
Consumer Privacy Act. We’ve also seen numerous
publications of guidance from the European Data
Steps for Organizations to Take
Protection Board interpreting pieces of the General
Data Protection Regulation, and of course, the DOJ’s
Perform the Two-Step Application Review
Evaluation of Corporate Compliance Programs guidance.
And this only scratches the surface. The noise can make it difficult to figure out what actually
needs your attention. There are two different analyses
With all of the major pronouncements in 2019 by to complete to find out if the guidance really applies to
U.S. authorities, 2020 may be a slow year for national you. First determine what is in your remit? Compliance’s
guidance. Stateside, the CCPA isn’t finished yet, so areas of expertise need to be enumerated specifically so
expect more guidance on this law. Be aware of the you know what you need to track. If compliance’s remit is
potential for new laws that may come into force with the antitrust, bribery, data privacy, and trade sanctions, then
next national election in November. The 2018 national it isn’t your responsibility to track what is happening with
34
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
the UK Modern Slavery Act. Make sure you know what is
in your remit so you can become an expert in those areas,
while ignoring the rest.
35
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
get a free session or continuing education course at your required for every area of your program. This includes
company if you ask nicely. Instead of putting the burden trade sanctions, import/export, bribery, anti-money
on yourself to learn everything new, use the synopses and laundering, privacy, competition/antitrust, etc. Looking
tools provided by the legal and consulting world to help at the guidance holistically can help in planning your next
you discern what matters. moves.
When looking at the guidance and regulations that apply By using these strategies, you can face the onslaught
to your program, look for synergies across the various of guidance with a plan. You can focus on what matters
guidance. For instance, completing a risk assessment and drown out the white noise. And that will have you
is an expectation/requirement under the Federal sleeping like a baby.
Sentencing Guidelines, DOJ Antitrust Guidance, OFAC
Guidance, ISO 19600 standard, and ISO 37001 standard.
Training on critical policies for those affected by risk is
36
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
37
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
10. Hotlines, Headlines & Hearsay:
When “Whistleblowing” Is National News
By: Carrie Penman So, what impact will this have on our organizations and
Chief Risk & Compliance Officer, NAVEX Global our approach to managing internal reporting processes?
For years, ethics and compliance officers wished for The End to an Era of Suppressive Whistleblower
the day when our work was at the forefront of public
Culture … or the Beginning?
conversation — a day when people everywhere eagerly
There is no doubt that many potential whistleblowers are
discussed the importance of effectively preventing and
now thinking more carefully about if, when and how they
detecting misconduct and the importance of speaking up.
would report misconduct. They are more likely than ever
That day arrived in fall 2019, thanks to an anonymous to first focus on protecting their interests (career mobility,
whistleblower reporting about a phone call between personal reputation, financial assets). Some might decide
the U.S. White House and the president of the Ukraine. to report anonymously; others might go to the other
Compliance officers would be remiss not to understand extreme and take their concerns to the biggest public
the significance of this moment, and its potential platform they can find. Still, some won’t report at all, and
consequences for whistleblowing and internal reporting perhaps quietly leave the organization.
more broadly in the years to come.
The ongoing national conversation has pushed the
With long held industry principles, best practices, and issue to an inflection point that leaves us with an
codified legal protections in place for decades, we are open question: will we allow this heightened scrutiny
now surrounded by debates over: to put a further chill on internal reporting, or will we
capitalize on the opportunity to once and for all change
» The value of anonymous reporting and confidentiality the perception of whistleblowing and its value to
organizations?
» The appropriate approaches to investigations
We might start with the term “whistleblower” itself.
» Whether second-hand reporters should be permitted
For years, I have been vocal with my concerns that
to report
this negative label discourages individuals who are
» The protections afforded (or not) to whistleblowers to considering reporting potential wrongdoing. A neutral
prevent retaliation term like “reporter” more aptly captures the value of the
deed and empowers employees to rise to the obligation.
Most organizations with mature programs know this,
Setting aside politics, these highly visible debates
and refer to their programs in a more positive and
have surely made an impression on would-be internal
supportive way.
reporters, both in government and private organizations.
As a result, we should expect that speaking up – an
To address this potentially suppressive “whistleblower
already decidedly tumultuous experience – to cause even
culture,” organizations would be well served to consider
more angst for employees and would-be reporters.
and embed the business value of internal reporting
systems into an organization’s culture and business
38
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
practices. Over the past two years, studies by George The research found that claims in
Washington University (GWU) have unequivocally
secondhand reports are 47.7% more
demonstrated the business value of strong reporting
systems and cultures. Findings show that firms with likely than those of firsthand reports to
higher hotline usage experienced: be substantiated by management.
39
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
substantiated than firsthand reports. All reports should 5. Ensure Your Processes Are Resilient
be considered potentially valuable, or the most valuable
reports may never be considered at all. Organizations need to seal any cracks in their internal
reporting systems and remember the larger objective
3. Address Fear of Retaliation in doing so: making those systems more resilient to
management pressure, and therefore more trusted by
Fear of retaliation is one of the primary reasons why
would-be reporters.
employees do not report. Proactively addressing this
fear through awareness and training are critical – as is In fact, if there’s any one word that keeps coming to
disciplining retaliators. While fear of retaliation will never mind, it’s that: resilience.
be eliminated, it can be reduced, which could mean the
difference between getting “the big report” or not. Reporters must be resilient, but so must our
organizational processes. To be successful, we need to
4. Review Your Investigative Processes design reporting systems that are resilient to outside
influence and that can offset the inherent pressure on
It is always good practice to periodically review and
internal reporters to stay silent, recant or take their
test internal investigation processes to ensure they
concerns elsewhere. It’s our job to relieve that pressure,
are consistent, timely and fair. With all the various new
protect the reporter/whistleblower, and capture the
global regulations, it will also be important to ensure that
human and business value of employee reporting.
systems intended to protect confidentiality are working
properly.
40
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
About this Resource
The issues, concerns and opportunities found in NAVEX Global’s annual Top 10 Risk & Compliance Trends are generated
by thought leaders who work in, report on, and develop solutions for the compliance industry. The eBook was compiled
by the editors and contributors of NAVEX Global’s blog, Ethics & Compliance Matters™, and each article was authored
by a current contributor to the blog. You can keep up with the evolution of these trends and others throughout the year
when you subscribe to the Ethics & Compliance Matters Blog.
41
Top 10 Risk & Compliance Trends for 2020 | +1 866 297 0224 | info@navexglobal.com | www.navexglobal.com
NAVEX Global provides a comprehensive suite of risk
and compliance software, content and services that
help organizations protect their people, reputation
and bottom line. Trusted by more than 14,500 customers,
our solutions are informed by the largest ethics
and compliance community in the world.
For more information, visit www.navexglobal.com.
Americas EMEA + APAC
5500 Meadows Road, Suite 4th Floor, Vantage London
500 Lake Oswego, OR 97035 Great West Road
United States of America Brentford, TW8 9AG
info@navexglobal.com United Kingdom
www.navexglobal.com info@navexglobal.com
+1 (866) 297 0224 www.navexglobal.com/uk
+44 (0) 20 8939 1650