Growing Your Company Means Growing Compliance Efforts

For growing businesses, a single ethical or regulatory violation can be catastrophic financially and destroy a nascent company’s reputation forever.



Co-CEO and Chief Development Officer of ComplianceLine

Giovanni Gallo

Giovanni Gallo

Many leaders are tempted to not deal with compliance and risk management until they’re forced to. They don’t choose their battles; they wait to put out fires. That was probably not ever totally wise, but it’s now more foolish than ever.

The reason is simple:  growing companies are very operationally focused; nothing is created until there’s an urgent need; you’re fighting for every inch of growth. They don’t usually have the excess capacity, deep pockets, expertise or even time to architect infrastructure and processes as they lay their foundations.



Startup CEOs are at risk

A CEO or founder of a startup is already wearing so many hats that they’ll often “under scope” their time and resources toward risk management; compliance and ethics often fall on the bottom of the priorities list. But we must realize that most of us are not risk managers. We are wired to see averages well, and get blindsided by tail events (remember COVID, or the Great Recession?). This is not due to any lack of concern about being an ethical company; rather, it’s often because we underestimate both the size of the risks and how achievable it is to mitigate them.

“We’ll do it when we get bigger/when we need to,” is a common refrain. It’s akin to driving without car insurance. You know you should get covered, but you have to GO! You keep driving down the highway, hoping you don’t get caught.

Small companies tend to have a misperception about the value of risk management. Whether you have 500 employees or 20,000 employees, the risks are the same. But think about this:  impact of a compliance lawsuit will be amplified for smaller businesses! A single ethics and compliance (E&C) claim can cost considerable time, attention and resources; an E&C claim is more easily absorbed by a large company, but potentially devastating for a smaller, fast growing one.

Start Fast. Measure Risk. Start Now.

In areas of risk mitigation, it’s imperative that business leaders act now. There’s no time like the present – even if that’s just planting a compliance seed. It’s totally fine to start now and build later. There’s a tremendous difference in ROI between doing nothing versus planting a seed.

But there’s good news! You don’t need a massive compliance team to create, implement and manage an ethics and compliance program. Just making a small investment (time, resources) has the potential to deliver big savings in the long run. Even if you can’t implement a massive, integrated privacy and security system that monitors and tracks every email in and out of your servers, you can at least have a firewall and spam filter.

Companies don’t have to rush out and hire someone to build new policies. It’s okay to start by simply giving the subject “mindshare” with your team. It doesn’t take a high-priced lawyer to know that if a manager is being abusive to an employee, you’re looking at up to tens of thousands of dollars in legal fees, not to mention a horrible corporate culture.

Find the issues that are being whispered

Sit down with your top three to five leaders to discuss any issues that have been reported or even whispered about. Get to the bottom of it; create a roadmap for improvements. It’s so much better to be in a position where you’re choosing your battles instead of being reactive, which can introduce inefficiencies, distract you from your priorities and even decrease morale.

If nothing else, take a step by talking to other business leaders and asking how they’ve identified and addressed relevant risks. They can be a great resource. For example, leave, medical and work accommodation standards vary by state. You might look to your professional employer organization (PEO) for advice included in your membership as a start, but even PEOs don’t always have the right answer in every case. Talking to the business owner down the street or on the floor below you is time well spent and can keep you from having to pay your way out of a situation.

Start fast, measure risk

These simple, immediate measures are far less expensive – maybe they cost you $1,500 if you meet a few times or need to pay for advice – and far less time-consuming than a $20,000 LexisNexis legal subscription covering every law in the world or a suite of top-tier attorneys. Plus, that small investment has the potential to save tens of thousands of dollars in legal fees, and perhaps even the business itself.

Start Fast. Measure Risk. Starting now is better than doing nothing.

Establish Your Compliance Pillars

What protocols and systems are ideal for those just getting started? There are seven common, but vital, compliance pillars to follow that can support your company, particularly if you’re involved in highly regulated industries like health care or finance. You can think about how each of these can be translated to your scale of effort:


  • Implementing written policies and procedures, so your standards of conduct are known.
  • Designating a compliance officer and committee, so initiatives are managed properly.
  • Conducting effective training and education, because an informed workforce mitigates risk.
  • Developing effective lines of communication, so your staff can voice concerns and management can address them in a healthy manner.
  • Conducting internal monitoring and auditing, so you can track and prove adherence.
  • Enforcing standards through well-publicized disciplinary guidelines, so everyone knows you are committed to these initiatives.
  • Responding promptly to detected offenses and undertaking corrective action, so employees know they’re safe and that you mean business.
  • Building a Culture of Ethics Shows That You Care

Truly care about your employees

If you truly care about your people (vs. selfishly making sure they remain silent out of fear of losing their jobs) then you realize these activities make sense. Further, for that ever-present legal consideration, you’ll benefit by being able to prove that you put effort into compliance activities that are reasonable for a company your size. Documenting discipline taken and showing consistency in how you treat exceptions goes a long way.

Building a transparent compliance culture keeps your workplace environment healthy and humane and protects your company’s reputation. Those who pursue growth at all costs, who think their employees are lucky enough to be part of something amazing and need to just suck it up, are in for a rude awakening. If you need examples of companies that got it wrong, think Uber and Theranos. The smaller your business, the more susceptible you are to the sicknesses that plagued these companies.

Employees will tell someone

Whereas employees used to be afraid to speak up about issues in the workplace, today, there’s honor in reporting injustice. Fellow employees, customers and entire communities will rally behind someone trying to right a wrong. Consider implementing a mechanism for employees to raise concerns anonymously and without fear of retaliation.

Companies are getting called out for inappropriate actions that are becoming less acceptable by the day, so it’s not just about regulatory enforcement. There are plenty of journalists, online forums and lawyers outside your team who will happily amplify those voices. You may as well join the audience, welcome the feedback internally, and set a process that protects employees from retaliation.

Set up an actionable culture of transparency – one that extends from the top down and bottom up. Reward those who are honest and step up: Use them as examples and celebrate these best practices. This holds reciprocal reward in terms of recruitment, employee retention, worker effectiveness, increased productivity and more. Building such trust will enable you to better handle particularly thorny issues and, on a more routine basis, allow for more candid feedback in areas such as performance reviews.

Do Your Homework

There are a wealth of online resources growing companies can reference to get a handle on the types of risks they could face before they occur.

There’s a lot of free content out there, as well as organizations and associations, that can help you tackle a lot of this. From your local chamber of commerce and the Society for Corporate Compliance and Ethics to various industry blogs and invaluable publications such as this, all have materials and resources available. Use them.

Compliance isn’t a boring policy that has no business value. The compliance moments you encounter when dealing with potentially thorny issues are where you establish your company culture – for better or worse. Compliance isn’t just about the minutiae of ticking the right boxes and creating paper trails; your culture is defined by what you say “no” to and reject, like abuse and favoritism, and the things that you celebrate and empower, which are hopefully candor and transparency.

Making sure your culture is healthy is essential for your success as a business; it’s not only how you take care of the people who do the work essential to your mission, but also how you express your values to the marketplace. Establishing a strong compliance practice means the potential for building a healthy workplace culture and leveraging your reputation for influence in your field.

Start small and build, but do something. Because there’s simply no ROI in doing nothing.

Giovanni Gallo is Co-CEO and Chief Development Officer at Complianceline , a provider of case management, exclusion screening and whistleblower hotline solutions to give caring leaders visibility and clarity to care for their people.




How SOC2 Compliance easily achieves HIPAA & HITRUST

By Narendra Sahoo

vista infosecToday, we are witnessing an increase in the transition of physical data moving towards digital format. This has pushed the need for implementing strict security practices to protect the data from incidents of theft or breach. As personal information becomes more valuable, the frequency and severity of security breaches have only increased over the years. To address these growing issues of data security, a number of regulatory and compliance requirements have been established across industries for businesses to comply with. However, with so many compliances established, businesses are often left confused about which compliance commitment is right for their organization to pursue. Among many, there are some well-known compliances pertaining to data protection law which includes HIPAA, GDPR, CCPA, PCI DSS, etc that are designed to protect data and privacy of consumers.

While most of these industry standards and approaches have evolved to protect the data better, yet their variety and complexity can leave you struggling to know where to begin. While most have specific and unique requirements, all require a basic set of best practices with respect to the privacy and the protection of data and service. Having said that, using well-known standards like the SOC2 will help organizations establish a solid foundation for information security. Implementing SOC2 will also help your organization keep up with the evolving demands of compliance. In this article today we have highlighted how using SOC2 Compliance makes the process of achieving HIPAA Compliance easy.

Understanding SOC2 & HIPAA Compliance

SOC2 and HIPAA compliance are two different standard requirements that overlap on many fronts. There is an increasing trend among organizations using the SOC2 framework and the supporting Trust Services Principles for simplifying the process of achieving HIPAA compliance. Organizations that seek to become compliant with the evolving HIPAA standards, particularly HIPAA Security and Privacy Rules may find the process much simpler if they have achieved SOC2 Attestation. Before understanding how the process becomes simpler let us start with the basics of understanding what is SOC2 and HIPAA Compliance.

What is SOC2 Attestation?

SOC2 is an audit procedure that ensures organizations are securely managing customer data protecting the interest and the privacy of its clients. For security-conscious businesses, SOC2 compliance is a minimum requirement and a basic foundation for achieving other Regulatory Compliance.

What is HIPAA Compliance?

HIPAA Compliance is a regulatory Act that ensures entities and business associates covered under the act protect the integrity, and privacy of customer’s Protected Health Information (PHI). It is a federal law that requires entities to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Establishing the Foundation with SOC2

Achieving compliance with HIPAA and SOC2 only shows how serious organizations are when it comes to securing the privacy of consumer’s data.  Today, organizations are keen to demonstrate their desire towards implementing stringent security controls to prove their seriousness towards information security and data privacy. For this very purpose, SOC2 forms the foundation for achieving the most compliance and regulatory requirements pertaining to protecting data. SOC2 can present organizations with significant advantages by demonstrating the effectiveness of the design and operations of an organization’s internal controls. SOC2 defines a set of criteria for managing customer data which is based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.

SOC2 Trust Service Principles

  1. Security: The system should be protected against unauthorized access, use, or modification;

2.Availability: The system should be available for operation and use as committed or agreed;

3.Processing Integrity: System processing should be complete, valid, accurate, timely, and authorized;

  1. Confidentiality: Information designated as confidential should be protected as committed or agreed;

5.Privacy: The collection, use, retention, disclosure, and disposal of personal information should be as per the commitments in the service organization’s privacy notice and with criteria outlined in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA.

Defining the Systems in Scope

Determining which TSP’s to validate against for achieving compliance with the HIPAA mandates is a major concern most people have. However, in reality, all of the five (5) TSP has a credible connection with HIPAA Compliance, but the organizations should first define the relevant scope for achieving compliance.

Infrastructure The physical and hardware components of a system that includes facilities, equipment, and networks.

Software Programs and operating software of systems that include applications, systems, and utilities.

People Personnel involved in the operation and use of systems that may include developers, operators, users, and managers.

Procedures– The Programmed and manual procedures involved in the operation of systems which may be either automated or manual.

Data – The information used and supported by a system which includes transaction streams, files, database, and tables.

SOC2 and HIPAA Compliance: Requirements that Overlap

While the regulations an organization is expected to follow greatly depend on the industry, customer base, region, and market of operations, there are enough overlapping requirements between established SOC2 standards and various regulations including HIPAA which make SOC2 a good foundation for achieving HIPAA Compliance. Given below are areas of SOC2 and HIPAA Compliance requirements that overlap. To understand how far SOC2 will get you on HIPAA Compliance, we have drawn out a comparison chart below to illustrate coverage levels on critical elements.

Security The 5TSP requires organizations to protect the system against unauthorized access, use, or modification  HIPAA’s Security Rule calls for security of data and protection against unauthorized access or use. The rule includes having three protective measures in place which includes-·         Administrative security

·         Physical Security

·         Technical security

Availability The TSP requires the system to be available for operation and use as committed.  HIPAA rule requires entities to ensure the availability of all e-PHI they create, receive, maintain, or transmit.
Confidentiality Information designated as confidential should be protected by all means. In HIPAA Compliance the confidentiality of PHI is given great emphasis. PHI cannot be disclosed to anyone without the consent of the patient.
Integrity System processing should be complete, valid, accurate, timely, and authorized.  HIPAA compliance needs to cover integrity controls or have in place measures to confirm that ePHI is not altered or destroyed.
Privacy The collection, use, retention, disclosure, and disposal of personal information should be as per organization policy and as set in the GAPP The Privacy rule in HIPAA suggests a balance between protecting the PHI and using the information only when it is necessary.


SOC2 and HITRUST CSF Convergence

HITRUST CSF is a security and privacy framework, initially built on ISO 27001 which meets the requirements of multiple regulations and standards. Over time, the CSF evolved to include a significant number of standards, regulations, and business requirements which includes 14 high-level control categories, 46 control objectives, and 149 control specifications. The framework provides a way to comply with standards such as ISO/IEC 27000-series and HIPAA. While SOC2 reports are based on a framework of reporting, and HITRUST CSF is based on a security and privacy control framework. There are synergies between SOC2 TSC categories and the underlying criteria and HITRUST CSF controls.  HITRUST certification and SOC2 attestation in tandem facilitate greater resource efficiency as the HITRUST CSF requirements cover many of those within SOC2 attestation.

Simplifying Compliance Efforts 

The bottom line is that organizations should select the standard that is best suited to their market and customers. Selecting a standard that aligns your organizational goal closer to meeting another standard is critical. Having said that, SOC2 Type 2 audit is a broader framework and goes farther than ISO 27001 in terms of measuring the design and operating effectiveness of systems. Since SOC2 Compliance covers a broader range of control requirements, it builds a foundation for achieving compliance with other regulations. It simplifies the effort required to achieve and demonstrate compliance with other regulations like HIPAA & HITRUST CSF. With a SOC2 attestation, your organization will be well-positioned to satisfy a range of requirements under other regulatory compliance. However, it is important to note that while SOC2 brings makes compliance efforts easy, but it is not a substitute for a HIPAA audit.  HIPAA requires specific policy, personnel training, and breach remediation processes that are not covered in SOC2 audits. So, do not misinterpret SOC2 Compliance as a substitute for HIPAA or HITRUST audit.

Author Bio

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec, a foremost Company in the Infosec Industry.

Digital fraud, cyber crime increases globally during coronavirus

Connect Global Group holding virtual summit June 16

CGG logoCOVENT GARDEN, LONDON — The coronavirus outbreak is wreaking havoc on commercial activity across the globe and hastening cyber and financial crime.

A growing dependence on digital infrastructure — coupled with this sudden increased threat landscape — has raised the cost of failure. It has allowed cyber and financial criminals to feed on augmented levels of fear and uncertainty from those who are finding themselves online more and more, today and in the future.

The solution: Financial institutions need to activate boosted digital hygiene standards, be extra vigilant on verifications and follow official updates to protect customers and their own business.

That’s why Connect Global Group — known for its forums, professional training, content library, and community of experts — has put together perhaps the year’s most important interactive, virtual summit on cyber and financial crimes. The cyber threat and crime summit, called IDENTITY.i Virtual Summit, takes place June 16. The speakers and panel of international experts will focus on anti-money laundering (AML) technology and processes; know your customer (KYC) processes at large and small institutions; true digital identity verification, as well as effective methods of detecting and halting fraud and other financial crimes on systems you or your customer’s run.

The IDENTITY.i Virtual Summit allows you to address key challenges in the areas of Open Banking and Digital Identity, Client Onboarding and Client Lifecycle Management, Financial Crime and Fraud — all from the comfort of your home office.

Tune in to more than 25 keynote speakers, access vital case studies and engage with in-depth panel discussions. Participants can also download hundreds of assets and literature in your “digital swag bag”, ask questions in real-time, maintain networking bonds in the virtual lounge and witness innovative solutions in the virtual exhibition hall.

Open Banking, Innovation and digitization are imposing yet another operational challenge that will force financial institutions to rethink their day-to-day processes to achieve efficiency and effectiveness in KYC, Client onboarding, AML, financial crime and fraud prevention. To be efficient, the community must come together to develop a single standard practical approach to customer onboarding and financial crime prevention built around emerging technologies of digital identities, Open Banking, Blockchain, ML and AI. Along with enabling operational efficiency and cost reduction, this will allow much-needed focus on de-risking, which can make AML, Fin Crime and KYC processes effective.

Key Take-aways from the upcoming IDENTITY.i Virtual Summit:

  • Understand Emerging Financial Crime Risks in an Open Banking World
  • Latest Trends and challenges if tackling fraud in the digital age
  • Enhance Client Lifecycle Management (CLM) with AI
  • Revolutionize Client Onboarding with Digital Identity and AI
  • Streamline Compliance with ML
  • Optimize KYC processes and information sharing of Global Banks

To register, please go here.

NLYTE survey: Most companies seek real-time view of software, technology assets

From Pres Releases

More than 80 percent of technology asset decision-makers say a lack of technology asset management is a key business issue for the C-suite, the latest Nlyte Software survey shows.

Nlyte, which develops software for managing computing infrastructure says the fact that a third (31 percent) of organizations still track it manually, is no surprise.

The study, commissioned by Nlyte and delivered by Sapio Research, also found that almost two thirds (61 percent) of business leaders see a need for a real-time view of their technology and software assets. With over a third (37 percent) of respondents believing they could save 20 percent of their budget by remediating underutilized software, and 39 percent stating they could save their IT delivery teams six to ten percent time in daily business operations – but only if they had a real-time view of the situation.

It’s all about the risk

Despite the apparent priority, the motivating factor behind the decision to implement asset control across the entire technology stack is most likely to come from a cybersecurity breach, according to 29 percent of respondents. And there are stark differences between how managers and senior teams see this as a priority, with C-suite respondents believing that assets are being scanned hourly (27 percent) or daily (35 percent): yet those at manager level are less confident (8 percent and 28 percent respectively).


It also seems that the majority (84 percent) of asset decision makers are still concerned about the prospect of a vendor software audit, and as nearly a quarter (21 percent) of respondents face fines – a worrying amount that perhaps comes from an inability to manage processes well, rather than any deliberate misdemeanor.

“Organizations seeking to regain control of the disorderly technology assets proliferating throughout their organization would be advised to consider TAM,” said Robert Neave, cofounder, Chief Technology Officer, and Vice President of Product Management for Nlyte Software. “Across our transnational sample (USA, UK, and France) 96 percent say that hardware and software technology asset control is a top 5 priority for the business, yet this still isn’t being implemented across the board.”

Further findings from Nlyte’s research:

  • 61 percent told us that a real-time view of technology and software assets would enhance their IT innovation to support their business goals.
  • Yet, only 45 percent said that their assets are validated daily (30% do this weekly)
  • 50 percent are tracking assets in their data center – at least a majority (62 percent) are doing so for desktop and laptops
  • 78 percent of the global respondents claimed that up to 20 percent of their assets remain undetected from network scans
  • On average 67 percent of devices have the latest security software and firmware patches, less than half (49%) have a solution that scans and validates all devices; 48 percent of devices are not proactively managed at all
  • 36 percent of C-suite aren’t tracking their edge assets – where the risk of intrusion is highest

Technology Asset Management

Several of the learnings from this research showed that large organizations as a whole have no agreement on a clear vision of what their asset management strategy is for. A lightweight, agentless technology-based solution, like TAM, that isn’t limited to certain vendor platforms or industry protocols removes these headaches. Such a solution allows for the discovery of any and all types of technology assets, compute, storage, network, software, firmware, IoT and more.

Nlyte’s TAM solution delivers a self-aware IT infrastructure by updating CMDB, DCIM, and BMS systems with current assets configuration and location improving efficiency and SLA on change management workflows and to helpdesk tickets. It identifies all things attached to the organization’s network, providing detailed information about location, configuration, and accessibility monitoring for unplanned changes, unauthorized access, vulnerable software, lost and unresponsive assets.

Access the whitepaper here:

Lockpath launches templates to Keylight Team Edition, premier GRC platform

Lockpath just launched templates to its Keylight Team Edition, its premier governance, risk management and compliance (GRC) platform.  .

Templates included with the platform are a pre-built starting point for customers to solve their initial compliance management needs, the company said.

“In today’s rapidly changing regulatory environment, businesses are continually seeking ways to streamline and improve their integrated solutions,” said Chris Caldwell, Lockpath’s co-founder and CEO. “Our platform helps them overcome the challenge of building and implementing a robust compliance program quickly and efficiently.”

The addition of templates to Keylight Team Edition gives customers the ability to quickly create and implement policies. The additional steps needed for an effective compliance management program such as mapping to controls, logging awareness events and collecting attestations, can be accelerated with templates.

“Last year we launched Keylight Team Edition to give our SMB customers better access to an integrated risk management program and now templates further enhance this commitment to all of our customers,” Caldwell said.


Lockpath’s initial library of pre-defined templates includes the initial elements to comply with regulations and frameworks such as GDPR, CCPA (California Consumer Privacy Act), ISO 27001, NIST SP800-53, Sarbanes Oxley (SOX), HIPAA, COBIT, PCI-DSS and more. The library will continue to expand based on customer feedback. Templates can also be customized to fit any organization’s specific needs and preferences.


Templates are continuously updated to remain current as regulations change. This gives our customers assurance knowing they will have access to reliable, up-to-date information.


“As regulations change frequently or new regulations are established, compliance can be a daunting task for even experienced practitioners,” said Chris Goodwin, Lockpath’s Chief Technology Officer and Co-Founder. “An organization can choose from any of our pre-built templates for the most widely used frameworks or regulations and customize them as needed.”

Lockpath’s templates will be available out-of-the-box to all Keylight Team Edition customers and can be added by request to Standard and Enterprise editions of Keylight. To learn more about Lockpath, the Keylight Platform and templates visit

About Lockpath: Lockpath is an enterprise software company that helps organizations understand and manage their risk. For more information on Lockpath and the Keylight Platform, visit

Strange Craft: The True Story of an Air Force Intelligence Officer’s Life with UFOs

strangecraft coverU.S. Air Force Major George Filer belongs to the generation of pilots and airmen who first became aware of the strange aircraft showing up in the Earth’s atmosphere after World War II.

These men – military professionals who flew planes, commanded ships, served as radar operators and air traffic controllers at air fields around the world – began to whisper amongst themselves about encounters with suspected extraterrestrial aircraft. During secret debriefings at U.S. bases, pilots and air crew told their commanders of seeing strange lights at night and in the daylight, groups of saucer- or cigar-shaped craft that easily paced them just a few yards off their plane’s wingtip.

Award-winning investigative reporter John Guerra spent four years interviewing Filer, a decorated intelligence officer. From objects in the skies over Cold War Europe to a UFO overflight during the Cuban Missile Crisis to strange lights over the DMZ during the Tet Offensive, Filer leaves nothing out about his Air Force UFO encounters, providing Guerra all the amazing details of his six decades investigating extraterrestrials and their craft. Filer’s most memorable case – the shooting of an alien at Fort Dix Army Base in 1978 – is fully recounted for the first time in this book.

Filer – who readers have seen on countless UFO documentaries – is also a member of the Disclosure Project, the famous panel of military experts, astronauts, and scientists that urges the U.S. government to release all it knows about UFOs to the public.

Then, in the fall of 2017, the Pentagon released the F-18 gun camera footage of what can only be described as an extraterrestrial vehicle outperforming U.S. Navy fighters off San Diego …Keys writer John Guerra’s biography of real-life Air Force UFO investigator Maj. George Filer is now out on Amazon. Filer leaves nothing out about his own UFO encounters on the ground and in the air, providing Guerra all the important details of his six decades investigating extraterrestrials and their craft.

Order the book on Amazon



MetricStream report predicts 2019 GRC trends

From MetricStream’s “GRC 2019: The Known Unknowns” 


globeHow will GRC roles evolve in the coming year? What are the weak links to watch out for? Find out in MetricStream’s report on the trends and predictions for 2019. The future of GRC will not just be about managing known risks or monitoring compliance. It will be about sustaining an organization’s social license to operate.


Balancing Value Protection and Value Creation As enterprises strive to stay ahead of the curve, GRC executives will be expected to go beyond their traditional roles as the guardrails of the organization and become enablers of business performance and growth. They will need to find a balance between protecting value and creating it; between being the voice of reason in the C-suite and enabling the business to take the requisite risks to achieve the desired rewards. CROs, for instance, will be called on to help leadership teams decide when to launch a new product, or which markets to target first based on the associated risks and opportunities. In doing so, they will be seen as enablers of innovation.

Truth-tellers and Strategic Advisors

Boards will demand more transparency. They will want to respond more proactively to potential risks and opportunities. Therefore, CROs, CCOs, CAEs, and CISOs will need to deliver insights that are forward-looking, actionable, and performance enabling. They will also need to become better story-tellers, communicating their message clearly, succinctly, and in a way that the board can understand and act on. To support these efforts, new generations of GRC solutions will be designed to predict potential risks with greater accuracy and speed than ever.

Leading from the Front

More risk and compliance responsibilities will move down into the first line of defense. But first, organizations will need to think about how GRC can be adapted to the first line, not how the first line should adapt to GRC. How can GRC be made so intuitive that it becomes a seamless, almost inherent part of employee routines? The answers, to some extent, will lie with technology. GRC tools will increasingly be layered into the systems used by the first line in such a way that when an employee is confronted with a potentially risky or non-compliant transaction, the underlying technology will automatically trigger checklists and workflows to guide the employee towards making the right decision.

GAN Integrity adds new risk management module

From press releases

GAN Integrity this week launched its Risk Management module that builds on GAN’s all-in-one compliance platform. GAN designers say the module is designed to integrate seamlessly with the rest of GAN’s compliance components, so users can make strategic, data-driven decisions based on a holistic and real-time view of all compliance-related activities.

GANCompanies can customize how they frame their risk management and shift to a dynamic approach. The tool complements annual risk assessments and helps compliance teams take action on next steps, company officials said.

“As an organization’s risk management evolves, so does GAN’s tool configuration, enabling real-time identification, assessment and management of all risks,” said Valerie Charles, chief strategy officer for GAN Integrity. “It empowers compliance teams to focus on what matters with technology that enables them to proactively manage any compliance issue that arises, at anytime, anywhere.”

The Risk Management module joins GAN’s comprehensive compliance platform, which includes Training, Due Diligence, Policy, Gifts and Case Management modules.

According to GAN Integrity engineers, the Risk Management module lets teams can:

  • Identify: The user-friendly solution allows users to easily map and manage all risks across the company in a centralized risk library, along with any related controls and action plans.
  • Assess: Detailed information on specific risks enables users to design customized risk rating scales and matrices that are tailored to the organization.
  • Manage: Users exchange manual, paper-driven, siloed processes for a simple and user-friendly solution and import risk assessment data into a configurable tool.
  • Monitor: The module tracks compliance risks in real time using a heat map that enables a company to instantly react to critical changes to risks throughout the business. All changes and activity are saved for later reference.
  • Evolve: The module automatically updates risks based on changes to the business.


FCPA Blog: Panasonic case provides a teachable moment

By Erich Lochner

President and CEO, Steele Compliance Solutions Inc.

Erich Lochner, Steele Compliance Solutions

Erich Lochner, Steele Compliance Solutions

The Panasonic enforcement action in April — resulting in $280 million in penalties and disgorgement to the DOJ and SEC — offers almost every lesson a compliance officer might want to discuss about anti-bribery programs.

First, due diligence matters all the time, all the way down

As often happens with anti-bribery offenses under the FCPA, bribes were relayed to government officials through intermediaries and sales agents. Multiple agents working for Panasonic failed the company’s internal due diligence checks and parted ways with the company — and were then hired back as subcontractors, with a sales agent that had passed the due diligence.

That scenario underlines the point of what due diligence truly is: an effort to expel corrupt third parties from the enterprise permanently, rather than a simple background check to be performed at one moment in time.

If the mantra is, “Companies don’t commit crime; people working for companies do,” then due diligence programs should flag specific high-risk people and ensure they don’t work on behalf of the organization. That can require language in contracts with other third parties (to avoid subcontractor risk), follow-up audits, and similar measures.

Second, accounting controls also matter

Panasonic engaged in considerable books-and-records violations both to mask the improper payments and to inflate revenue and pre-tax income by recognizing revenue early. Panasonic ultimately paid more than $1.75 million to supposed sales agents who provided few (if any) actual services. None of that was properly recorded in the company’s books.

Moreover, Panasonic employees knew about, and concealed, the scheme to sub-contract the sales agents who had been terminated. The third party that employed those sub-contractors was paid from a Panasonic budget line under the sole control of a senior Panasonic Avionics executive, with no oversight from anyone else at the company.

Proper accounting controls are crucial to effective FCPA compliance, since they can choke off the supply of money necessary for criminal violations. For example, a company could require multiple executives to counter-sign any payment above, say, $50,000; and require documentation that the party receiving that money has delivered the services promised.

Compliance with the civil side of the FCPA (implementing strong accounting controls) supports compliance with the criminal side (not paying bribes).

Third, leadership works if the first two issues to matter.

Large organizations are always porous collections of people and business practices. Even the most exhaustive controls, policies, and procedures leave some crack where misconduct can sprout. Strong ethical leadership is the sealant that tries to fill those cracks. The absence of strong leadership does the company no favors.

In Panasonic’s case, an internal audit in 2010 flagged potential problems with high-risk agents, and that report was circulated among senior executives. No follow-up happened for years.

Panasonic didn’t disclose the misconduct voluntarily. Only when the Securities and Exchange Commission began requesting documents did Panasonic admit potential problems and begin cooperating. That said, after the investigation began Panasonic did cooperate fully, including a thorough internal investigation and providing foreign employees for interviews with the Justice Department.

The company ultimately received a 20 percent discount on its penalties, per the DOJ’s new FCPA Corporate Enforcement Policy (pdf).