JANUARY 20, 2020 2021 BY TOM FOX
In today’s edition of Daily Compliance News:
The Compliance Life details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What are some of the skills a CCO needs to success navigate the compliance waters in any company? What are some of the top challenges CCOs have faced and how did they meet them? These questions and many others will be explored in this new podcast series. Over four episodes each month on The Compliance Life, I visit with one current or former CCO to explore their journey to the CCO chair. This month, my guest is Gwen Hassan, Managing Counsel and Director of Compliance at CNH Industrial.
In this third episode, Gwen shares the advice would you give to someone who may be interested in pursuing a career in compliance. She details the most challenging thing about being a compliance professional and what is the most rewarding. She looks into the future and explores where she sees the profession headed over the next decade and what new skill sets will be needed/required to be successful in 2025 and beyond.
After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it, promptly, thoroughly and with competent personnel. In the 2020 Update, provided these series of questions about your internal investigations:
Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?
Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?
Resources and Tracking of Results – Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?
In a presentation Jay Martin, retired Chief Compliance Officer at Baker Hughes and now Senior Counsel at Willkie Farr & Gallagher LLP and Jacki Trevino, Senior Director, Advisory Services Group at SAI Global Limited, discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up; and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document”, not only the steps you took but why and the outcome obtained.
Three key takeaways:
Robert Meyers is the Channel Solutions Architect for One Identity, a software company that helps organizations establish an identity-centric security strategy. Tom Fox welcomes him to this week’s show to talk about compliance, data privacy, and employee data issues.
The Role of One Identity
“Most companies forget about employees, and this gets impacted by GDPR,” Robert says. His role at One Identity allows him to explain to companies where they can fit identity protections for employees. He also helps companies with their logging systems to prevent them from sending out sensitive information into their log store. Robert adds that he also works as a consultant for partners and helps with privileged access management.
Data Has a Life Cycle
“Data itself should have a life cycle,” Robert emphasizes. The concept of never deleting anything and keeping copies of everything is a bad idea. Data discipline and data management governance expects that you remove data at an appropriate time. Robert iterates that data privacy and data protection have to be integrated with operations because if it isn’t, it won’t be dealt with at all. In response to Tom’s question on who owns Compliance, Robert says that it has to be the Chief Operating Officer.
Tom asks Robert what businesses should expect to happen around data privacy between now and 2023. Robert says that there will be more risk assessment. Most breaches conducted within organizations are internal. He advocates for greater enforcement of laws and regulations as well as more legislation.