《NAVEX Global:2023运营风险管理主要趋势报告(英文版)(39页).pdf》由会员分享,可在线阅读,更多相关《NAVEX Global:2023运营风险管理主要趋势报告(英文版)(39页).pdf(39页珍藏版)》请在三个皮匠报告上搜索。
1、Top Trends for Managing Operational RiskTop Trends for Managing Operational RiskA NAVEX EBOOKIntroductionNAVEXThe Whistleblower Landscape Reporting Trend Changes May Compel Organizations to Reassess Their ProgramsJANE NORBERG,CARRIE PENMANEU Whistleblowing Directive Trends in Transposition and Adopt
2、ionMARK ROBERTSONPrivacy in 2023 What to Expect and How to PrepareJAMES CASTRO-EDWARDS,NANCY PERKINSThird Party Risk in the Era of Sanctions EnforcementMICHAEL VOLKOV New Expectations of Executive Leadership How Will You Prove and Certify Your Program WorksMATT KELLYThis Supreme Court Case Will Reve
3、rberate Throughout the Compliance and ESG WorldKRISTY GRANT-HARTStaying Ahead of ESG Disclosures What to Expect and How to Prepare COLIN ETNIRETable of Contents356IntroductionEach year,NAVEX publishes the Top 10 Trends in Risk and Compliance,which includes perspectives from industry exper
4、ts and our own thought leaders.This publication informs readers about ongoing and upcoming trends to be aware of in order to ensure compliance more effectively within their organizations.While the full edition of the eBook focuses on two main themes,regulatory compliance and organizational integrity
5、,this version contains the articles specific to regulatory change.It is no secret that managing a truly effective governance,risk and compliance(GRC)program is challenging,and becoming more so every year.With frequently changing regulations and heightened geopolitical risk,staying compliant has neve
6、r been more difficult or important for organizations.Regarding regulatory changes,we continue to find the only constant is change.Sometimes the direction is clear,or at least consistent with expectations.For example,the examination of the EU Whistleblower Directive lays out what is in place today,an
7、d what to expect as each EU country transposes.However,when it comes to the growing desire to codify environmental,social and governance(ESG)standards,we found the expectations are far less clear;more confusion than consensus.Successful companies understand the importance of creating a culture that
8、values ethics and compliance,and their organizations benefit from prioritizing these values.Not only will adhering to regulatory requirements prevent reputational backlash from compliance blunders,organizations that prioritize compliance are more profitable and have better employee retention.With th
9、at in mind,we hope this years guide will provide valuable insight for any and all GRC professionals dedicated to meeting the regulatory challenges ahead.NAVEXNAVEX 3“Successful companies understand the importance of creating a culture that values ethics and compliance,and their organizations benefit
10、 from prioritizing these values.”The Whistleblower Landscape Reporting Trend Changes May Compel Organizations to Reassess Their ProgramsUntil recently,trends in whistleblower reports and behavior seemed to only break through into the news cycle when an extraordinary story made it into mainstream hea
11、dlines.Now,reports of whistleblower actions and payouts are more frequently making news,and regulations protecting whistleblowers continue to take effect globally.First,while legislatively protected whistleblowing for certain types of issues has been in place in the U.S.for some time,the internation
12、al regulatory landscape is even more prescriptive than the U.S.on process and whistleblower protections.Ongoing global legislation,such as the EU Whistleblower Directive,Japanese Whistleblower Protection Act,and the Australia Corporations Act,is impacting organizations processes to receive,investiga
13、te and follow up on reports.Keeping up with the new regulations is proving to be challenging,especially for organizations with multinational operations.Second,tips to,and awards paid by,the Securities and Exchange Commission(SEC)Office of the Whistleblower are setting records and getting attention f
14、rom both employee reporters and their organizations.Further,a growing industry of plaintiff-side whistleblower attorneys feeding tips to the SEC and other agencies is capturing the attention of those who believe they havent been heard internally or fear significant retaliation for raising a concern.
15、Add all of this to stresses and workplace changes resulting from the pandemic and remote work environments,and compliance programs are experiencing a changing whistleblower landscape.The recent SEC Annual Report,and data from over 1.4 million reports annually to NAVEX systems,provide some insights t
16、o help organizations understand the changing whistleblower landscape both internally and externally and prepare them to adjust their programs to address the changing landscape.External reporting trendsOn November 15,2022,the SEC Office of the Whistleblower issued its annual report for FY 2022.The sa
17、me day,the SEC announced its enforcement results for FY 2022,which highlighted the Office of the Whistleblower as“an integral part of the Enforcement Program,”and the whistleblower program as a critical tool in the SECs enforcement arsenal.Both SEC reports reveal that whistleblower tips are an incre
18、asingly important source for SEC investigations and enforcement actions.BY:JANE NORBERGPartner,Arnold and PorterCARRIE PENMANChief Risk and Compliance Officer,NAVEXNAVEX 5The SEC reported receipt of 12,322 whistleblower tips in FY 2022.This was the largest number of tips received in any year in the
19、history of the SECs whistleblower program,which was established in 2011 following the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act.During the two prior fiscal years,there were dramatic increases in the number of tips received.From FY 2020 to FY 2021,there was a 76%increas
20、e in whistleblower tips received by the SEC,and FY 2022 yielded a similar number of reports as the previous year.The chart below illustrates this stark increase in reporting to the regulator.Although the reason for the increasing number of tips is not clear,one possible explanation is the prevalence
21、 of remote and hybrid working conditions that makes it easier for whistleblowers to gather evidence and report out to the SEC such as taking screenshots of documents or emails.But even as many companies began to require a return to the office in some capacity,the number of tips reported out to the S
22、EC remained very high and may reflect a“new normal.”Global whistleblowing to the SEC regulatory action and trendsAs in prior years,the SECs whistleblower program continues to have a global reach.According to the FY 2022 Whistleblower Report,tips were received“from all over the world,”with the highes
23、t number of foreign tips originating from Canada,the United Kingdom,Germany,China,Mexico,and Brazil.All told,the SEC received tips from over 130 countries worldwide since the beginning of the program.Companies should consider that employees in international operations may be inclined to report out t
24、o the U.S.regulator if they do not believe action is being taken internally to address their concerns.Therefore,policies and procedures around handling of internal reports need to encompass international operations as well.Whistleblowers report internally prior to reporting to SECIt is important to
25、understand that most whistleblowers who received awards from the SEC first tried to raise their concerns internally or at the same time as reporting to the regulator.In fact,according to the 2021 SEC Annual Report to Congress,“more than 75%raised their concerns internally to their supervisors,compli
26、ance personnel,or through internal reporting mechanisms,or understood that their supervisor or relevant compliance personnel knew of the violations,”before reporting their information of wrongdoing to the commission.This represents a downward trend from 2020.Unfortunately,the SEC did not report this
27、 figure for 2022,however,historical information is illustrative of this trend.NAVEX 6NAVEX Large whistleblower awards equal large corporate impactThe increase in tips may also be due to the very large whistleblower awards paid by the SEC.In FY 2022,the SEC awarded approximately$229 million in 103 aw
28、ards.Over the life of the program,the SEC paid out over$1.3 billion in whistleblower awards.Of course,large whistleblower awards equate to large corporate impact.Successful enforcement actions brought as a result of whistleblower tips yielded more than$6.3 billion in total monetary sanctions ordered
29、 since the beginning of the whistleblower program,including more than$1.3 billion during FY 2022 alone.The incentives for whistleblowers to report out potential misconduct remains high,as does the cost to companies based on external whistleblower tips.The SEC also announced a focus on large penaltie
30、s to effectively punish and deter misconduct.They noted they will reward meaningful cooperation and remediation.Proper handling of an internal tip from an employee is the first step towards potential remediation and cooperation credit.Conducting a thorough internal investigation and engaging in appr
31、opriate remediation can help position a company to respond effectively to an enforcement investigation and minimize potential sanctions.Internal reporting trendsRecent years have shown changes in internal reporting trends as well.For example,organizations saw a continuous decline in anonymous report
32、s before and during the pandemic,indicating employees are becoming more confident or emboldened to give their name.NAVEX reporting over the last two years also shows the profound impact of the pandemic and remote work on outcomes such as“The Great Resignation.”As of the end of 2021,internal reportin
33、g levels had not yet returned to pre-pandemic levels,yet,as described above,external reporting to the SEC has seen substantial growth.We expect to see internal reporting levels approach pre-pandemic levels when we publish the report for 2022.Noting that many compliance programs view human resource m
34、atters as“not compliance issues,”it may be time to raise the profile of these types of matters within the compliance program and partner closely with human resource teams who we know are already well-aware of the increase in mental health issues facing their organizations.201720182019 2020 20217NAVE
35、X We also observe that issues related to workplace behavior and civility are increasing.In 2021,internal reports of retaliation nearly doubled.Reports about whistleblower retaliation have always been a small portion of the total,but they shot up from 0.9%in 2020 to 1.7%in 2021.Reports about harassme
36、nt also rose(to 5.6%,an all-time high)as did reports about discrimination(to 4.7%).Taken altogether,these findings suggest employees are more attuned to workplace civility issues.That would fit with external trends such as more talk about systemic racism,income inequality and political divisions,as
37、well as increasing protection for whistleblowers and employees awareness of those protections.Keyword searches of reporting data show that other social and political issues are becoming topics for internal reporting,too.For example,issues such as the war in Ukraine and economic concerns around infla
38、tion,a potential recession,layoffs,stimulus,and student debt forgiveness are on the rise.There is also a concerning increase in matters of workforce sentiment and mental health found in the keyword searches including anxiety,depression,exhaustion,mental health,pressure,quiet quitting,and bullying ca
39、ses.Internal reporting systems serve as an emotional lifeline in some cases.Noting that many compliance programs view human resource matters as“not compliance issues,”it may be time to raise the profile of these types of matters within the compliance program and partner closely with human resource t
40、eams who we know are already well-aware of the increase in mental health issues facing their organizations.Addressing the changing landscapeTo prepare for and address this changing landscape,organizations will need to test their mindset about reports and reporters(especially regarding anonymous repo
41、rters)as well as review their processes for managing cases.For example,the ongoing economic conditions may lead to higher levels of anonymous internal reporting as employees fear retaliation for speaking up during periods of uncertainty.In our interactions with clients and customers,we continue to h
42、ave conversations about the value and credibility of anonymous reports and reporters.We still hear about cases where the primary focus is determining who an anonymous reporter is rather than focusing on the issue raised.NAVEX data shows anonymous reports are substantiated at a rate close to those of
43、 named reports,indicating that while these reports may be more challenging to manage,they are valuable to our organizations.Case closure time is another opportunity for review.The EU Whistleblower Directive sets out time limits for acknowledgement of case receipt and feedback to the reporter.We also
44、 know the directive places some We still hear about cases where the primary focus is determining who an anonymous reporter is rather than focusing on the issue raised.NAVEX data shows anonymous reports are substantiated at a rate close to those of named reports,indicating that while these reports ma
45、y be more challenging to manage,they are valuable to our organizations.8NAVEX contingencies on who can view or investigate a report,adding complexity to processes that likely already have limited resources available to address.This is a good time to assess capability to handle more pressure and more
46、 complex cases.A focus on ongoing communications with reporters as well as a reduction in case closure times will help to build trust in internal programs which,in turn,may help reduce external and anonymous reporting.One other program component worthy of attention is managing fear of,and preventing
47、,retaliation.As noted earlier,cases of retaliation are on the rise.Yet,according to NAVEX survey results,retaliation prevention is not a high-priority initiative for many organizations.The reasons for this disconnect are not clear as the purpose of much of the legislation we described earlier is to
48、protect whistleblowers from retaliation.Indeed,the SEC recently filed an amended complaint against the CEO of a company for retaliating against an employee who raised concerns within the company,and also for attempting to impede that employee from reporting to the SEC by cutting off their access to
49、the companys IT system,among other things.Perhaps most concerning though,we expect to see continued growth in reporting of workplace civility issues including harassment,discrimination and retaliation,as the stresses and pressures of the ongoing political and economic climate continue.Organizations
50、will also need to prepare for the internal reporting system to be used more often for social and personal mental health issues as the stress and exhaustion of the last few years continue.While these may not all be,by definition,“compliance issues,”they certainly impact a culture of compliance.2023 p
51、redictionWhistleblowers(reporters)have shown in recent years they are more willing to take their concerns outside the organization if the issue is not addressed in a timely and appropriate way,as evidenced by the high levels of reporting to the SEC Office of the Whistleblower as well as the growth o
52、f social media sites like Glassdoor.With the potential for a recession in 2023,we expect to see continuing changes in trends for both internal and external reporting.Further,as more countries pass legislation to protect whistleblowers,we expect to see a continuing shift in the number and types of re
53、ports that both organizations and external regulatory agencies receive.Particular attention is needed on retaliation prevention programs.Now is the time to step back and take stock of the changing reporting and regulatory landscape.If not,we could see external reporting escalate as the first option
54、for whistleblowers.Further,taking a more holistic view of the individuals we rely on to maintain,and report on,compliance will serve our organizations well.9NAVEX About The AuthorsJane Norberg|Partner,Arnold and PorterAs the former chief of the Office of the Whistleblower at the Securities and Excha
55、nge Commission,Jane Norberg brings her extensive experience to help clients navigate regulatory,enforcement,governance,and compliance issues associated with whistleblowers.As a former senior officer in the Division of Enforcement at the SEC and a former special agent with the United States Secret Se
56、rvice,Ms.Norberg also brings her unique background and insights to assist clients in bringing regulatory and governmental inquiries to a successful resolution.Ms.Norberg represents public and private companies,financial institutions,individuals,and investment advisors on sensitive whistleblower and
57、other complex matters,including internal and SEC and other government investigations;response to and defense of specific whistleblower allegations;securities enforcement and white-collar defense;whistleblower retaliation claims defense;proactive assessment and structuring of internal compliance mech
58、anisms,policies and procedures;training boards of directors,management and workforces on internal reporting and retaliation;and crisis management counseling to mitigate reputational risk.Ms.Norberg also conducts sexual harassment and other sensitive investigations and educates boards of directors an
59、d executives about emerging whistleblower programs such as the Anti-Money Laundering Act whistleblower program and NHTSA automotive whistleblower program.During Ms.Norbergs tenure at the SEC she joined the SEC in 2012 as deputy chief of the office and was appointed to chief in 2016 she helped develo
60、p and lead the SECs whistleblower program since near its inception.Under her leadership,the offices staff expanded and achieved a record-breaking growth in both the number of whistleblower tips received and awards issued to whistleblowers under the program.Ms.Norberg has extensive experience and kno
61、wledge regarding whistleblower retaliation and is the leading expert on agreements that impede reporting in violation of Exchange Act Rule 21F-17,having directly advised on all whistleblower protection cases brought by the SEC during her tenure.She advised senior SEC leadership on emerging whistlebl
62、ower issues and policies,as well as reported to Congress regarding the programs activities.Ms.Norberg also had a substantial advisory role related to the amendments to the SECs whistleblower rules and has advised other domestic and international regulators related to the development of new whistlebl
63、ower programs.While at the SEC,Ms.Norberg also co-led a diversity and inclusion initiative across the Division of Enforcement.Carrie Penman|Chief Risk and Compliance Officer,NAVEXAs chief risk and compliance officer for NAVEX,Carrie leads the companys formal risk management processes.She also overse
64、es its internal ethics and compliance activities employing many of the best practices that NAVEX recommends to its customers.Carrie has extensive client-facing risk and compliance consulting experience,including more than 15 years as an advisor to boards and executive teams;most recently as NAVEXs S
65、VP of Advisory Services.She has also served as a corporate monitor and independent consultant for companies with government settlement agreements.Carrie was awarded the inaugural Lifetime Achievement Award for Excellence in Compliance 2020 by Compliance Week magazine.In 2017,Carrie received the ECIs
66、 Carol R.Marshall Award for Innovation in Corporate Ethics for an extensive career contributing to the advancement of the ethics and compliance field worldwide.10“To prepare for and address this changing landscape,organizations will need to test their mindset about reports and reporters(especially r
67、egarding anonymous reporters)as well as review their processes for managing cases.”BY:MARK ROBERTSONDeputy Compliance Officer and Senior Counsel,NAVEXEU Whistleblowing Directive Trends in Transposition and AdoptionIt has now been three years since the EU whistleblower protection directive(“Directive
68、”)entered into force.The Directives minimum standards are certainly no great mystery at this point entities meeting the fifty-worker threshold must establish internal reporting channels and procedures for the receipt of whistleblower reports and protection of the whistleblower against retaliation.Wh
69、at remains a challenging unknown,however,is the extent to which each member states transposition of the Directive meets or exceeds the Directives minimum standards.This is because of the staggered cadence of legislative enactments by EU member states and the failure of many member states to enact le
70、gislation at all.Now one year overdue,as of this writing,there remain 13 member states that have yet to transpose the Directive into national law.Multi-national organizations tasked with developing a harmonized approach to whistleblower reporting across the EU must do so with an incomplete picture o
71、f the legislative landscape.But as we move into 2023,there is hope that this picture will be filled in.The majority of the 13 member states yet to transpose have published draft bills that are at various stages of the legislative process.The proposed bills provide a look at how these nations may cod
72、ify NAVE X the Directives minimum standards.While the timelines of the enactments may differ among these nations,perhaps there exists some shared urgency as a result of the European Commissions commencement of infringement proceedings against these member states(as well as some that have transposed,
73、though only partially or untimely,as the European Commission tells it).Despite the delayed progress across the EU,there are lessons to be taken from the Directive itself and the national laws that have been enacted in the past year.Shared resourcesOne of the most impactful requirements of the Direct
74、ive is for entities with 50 or more workers to establish internal reporting channels and designate an impartial person or department to perform the follow-up,which includes any resulting investigation.The Directive makes allowance,however,for entities with 50 to 249 workers to“share resources as reg
75、ards the receipt of reports and any investigation to be carried out.”This ability to share resources was included in the Directive specifically because the commission was“mindful of the more limited resources of medium-sized companies.and with a view to helping them meet their obligations under the
76、Directive.”12Thus far,we have seen nations that have transposed likewise be mindful of the potential resource strain in this regard and have incorporated this resource-sharing carve out in favor of medium-sized entities.For example,the national laws of Cyprus,Denmark,Ireland and Portugal all include
77、 express allowance for medium-sized entities to share resources in this limited respect.Spains draft law legislation also includes this allowance in its present state.As more nations transpose,we can expect to see further adoption of this resource-sharing carve-out for medium-sized entities.Initial
78、assessments and additional communications to whistleblowerThe Directive describes two distinct points in time when the receiving entity must communicate with the whistleblower.First,there must be an acknowledgement of receipt of the report sent to the whistleblower within seven days of report receip
79、t.Second,the entity must provide“feedback”to the whistleblower within“a reasonable timeframe.not exceeding three months from the acknowledgment of receipt.”This general framework written acknowledgement followed by feedback is apparent in the transpositions thus far.These examples highlight the need
80、 to monitor each member states draft and enacted legislation.As more member states transpose the Directive into national law,we may see additional nuances introduced that affect how organizations perform report intake and assessment and communicate with reporters.There have also been additional step
81、s required at the national level,including an initial assessment of the report and further communications to the reporter.For example,Ireland and Latvia both establish an obligation for the receiving entity to perform an initial assessment of the report and to communicate the results of that assessm
82、ent to the reporter.In the case of Ireland,the assessment should consider“whether there is prima facie evidence that a relevant wrongdoing may have occurred.”Under the Latvian transposition,the assessment is to include a decision whether to recognize the report as a whistleblower report.Under both l
83、aws,the assessment is to be communicated to the reporter.Ireland also introduced a continuing obligation to communicate status updates to the reporter,if requested.These further communications are to occur“at intervals of three months.”These examples highlight the need to monitor each member states
84、draft and enacted legislation.As more member states transpose the Directive into national law,we may see additional nuances introduced that affect how organizations perform report intake and assessment and communicate with reporters expect to see further adoption of this resource-sharing carve-out f
85、or medium-sized entities.Effective,proportionate and dissuasive penalties take shapeThe Directive addresses at least one topic merely by describing the desired outcome,rather than through prescriptive rules defined by rigid timelines or worker counts:Penalties.No specific punishments or monetary san
86、ctions are set forth in the Directive.Rather,the Directive mandates member states“provide for effective,proportionate and dissuasive penalties applicable to natural or legal NAVE X 13persons”for hindering reporting,retaliation,bringing vexatious proceedings,and breaching the duty of confidentiality,
87、and,in the case of reporters,for knowingly reporting false information.This aspect of the transposition process has been keenly watched by industry observers to see what level of personal and entity liability is established.To date,the national laws have responded to this mandate in a few ways.Some
88、member states have established ranges of monetary fines that correspond to different violations.Portugal,for example,grouped violations into two tiers:serious offenses and very serious offenses.The latter,unsurprisingly,paired with the higher ranges of potential fines(i.e.,1,000 to 5,000 for natural
89、 persons and 2,000 to 50,000 for legal persons).However,financial penalties against individuals are just one possible penalty under the Irish law.It provides at least technically for imprisonment of up to two years.One would have to think that imprisonment for violation of the duty of confidentialit
90、y would be a punishment reserved for the most malicious of intentional disclosures,but on the face of it,there is no element of scienter.In any event,consider this author dissuaded.The Irish law also creates two private rights of action.A reporter may bring an action in tort against an individual wh
91、o discloses the reporters identity to someone unauthorized to know it.Likewise,an individual may bring a tort action against a reporter who knowingly reports false information about the individual.These penalties likely suggest more of what is to come when the remaining member states transpose the D
92、irective.It seems safe to assume that financial penalties will be available in future transpositions against both individuals and entities when there is retaliation or a breach of confidentiality in which the reporters identity is made known beyond those authorized to know it.2023 predictionThe comi
93、ng year will continue to present challenges for organizations working to harmonize internal whistleblower programs across multiple EU members states,where some have transposed the Directive into national law and others have not.Organizations may wish to design or modify their programs to conform to
94、the most protective of the national laws and,in any event,should ensure their programs are responsive to the Directives minimum standards.We can reasonably expect more member states will transpose the Directive in 2023,but whether it is all delinquent member states or just some remains an open quest
95、ion.About The AuthorMark Robertson|Deputy Compliance Officer and Senior Counsel,NAVEXMark maintains the companys risk and compliance program and advises the company on a wide array of legal matters,including intellectual property,compliance,employment,litigation,commercial transactions,and product d
96、evelopment.Prior to joining NAVEX,Mark was in private practice,representing artists,entrepreneurs,and performing arts organizations in the music business.Mark earned his J.D.from Loyola Law School,Los Angeles and served as editor-in-chief for the Loyola of Los Angeles Entertainment Law Review.He rec
97、eived his B.A.in communications from the University of Puget Sound.NAVE X NAVE X 14“The coming year will continue to present challenges for organizations working to harmonize internal whistleblower programs across multiple EU members states,where some have transposed the Directive into national law
98、and others have not.”NAVEX U.S.legal trendsPrivacy law compliance in the United States today demands resilience,flexibility,and responsiveness.To date,the U.S.Congress has failed to enact broadly applicable privacy standards to govern companies uniformly nationwide.Seeking to fill the gaps in existi
99、ng privacy regulation,the states are rapidly taking action,with one state in particular,California,leading the charge with a continually expanding set of privacy-related requirements to protect individuals residing in the state.Californias initiatives have triggered other states to follow suit.In ju
100、st the past two years,four other states enacted new consumer data privacy laws,all of which are scheduled to take effect in 2023.However,each states version of consumer privacy law differs in various ways from the others.This means businesses will face an ongoing challenge in juggling privacy obliga
101、tions under multiple regimes.Adding to the complexity of the states different privacy law frameworks,the Federal Trade Commission(FTC),which has broad jurisdiction over for-profit companies operating in the U.S.,initiated a potentially far-reaching rulemaking process to address what it perceives to
102、be major gaps in privacy and security protections for consumers.At the same time,the Department of Health and Human Services,which regulates Privacy in 2023 What to Expect and How to PrepareBY:JAMES CASTRO-EDWARDSCounsel,Arnold and Porter NANCY PERKINSCounsel,Arnold and Porter a wide range of entiti
103、es in the healthcare sector with respect to the privacy and security of protected health information,is poised to amend its privacy regulations.Further,the Securities and Exchange Commission(SEC),which regulates publicly traded companies,proposed new cybersecurity rules,while the federal banking age
104、ncies issued new rules for financial institutions and their services providers for notifications of cybersecurity incidents.For companies doing business in the U.S.,this multifaceted privacy law environment can seem daunting.As is the case with most major challenges,a framework for formulating funda
105、mental principles can help make compliance and data strategy more manageable.With limited resources to invest,keeping a realistic focus on significant risks,rather than getting mired in the minutia of detailed requirements,can also prove beneficial.To help navigate this complex landscape,the paragra
106、phs below suggest a conceptual roadmap for streamlining privacy efforts.Common state law requirementsThe five states that enacted broadly applicable consumer privacy laws California,Colorado,Connecticut,Utah,and Virginia have all embraced certain fundamental privacy principles and concepts,including
107、 many that are at the core of the European Union General Data Protection Regulation(GDPR)(discussed below).This trend is likely to continue in additional states.16NAVEX Adopting a clear,publicly available privacy notice that describes the companies data practices and individuals privacy rights Makin
108、g that notice available to individuals before collecting their personal information(wherever collection occurs)Adhering,without exception,to the statements in that notice,including to respect peoples privacy rightsEngaging in privacy-by-design to ensure the ethical collection and use of data(in line
109、 with lawful purposes)Making third-party recipients of data accountable to follow your statements about data use Ensuring an internal privacy program that documents compliance efforts and risk determinations and allows for monitoring and auditing of sameMaximizing the protection of data in accordanc
110、e with its sensitivity and the threats theretoNew complexities under the state laws as of 2023Although the five U.S.states broad consumer protection laws have fundamental similarities,the scope of Californias law,the California Consumer Privacy Act(CCPA),is notably more expansive than the laws of th
111、e other four states.This is due to the expiration of the laws previous exemptions for personal information about employees and business-to-business(B2B)contacts(such as customer representatives and vendor contacts).Further,theCalifornia Privacy Protection Agency,which was established as a new CCPA a
112、dministrative and enforcement authority in 2020,recently issued detailed draft regulations implementing the amendments to the Fueled by concerns that consumers lack knowledge of,and tools to control,how their personal data are being captured(particularly online),used and shared,the five states laws
113、all contain provisions requiring:Consumers be given notice(descriptions of what data is collected,and why,and who it is shared with)Privacy rights(some control over the use,disclosure and retention of their personal information and means to access and amend)Companies to implement privacy-by-design(e
114、nsuring privacy is considered up front and for specified purposes)Purpose limitations(forcing companies to collect and use data in accordance with a set of appropriate and lawful purposes)Security(protection of personal data)That companies are accountable(through enforcement and complaint mechanisms
115、,documentation requirements,and oversight and auditing requirements)These same principles are the backbone not only of the GDPR,but also of U.S.federal regulations governing the banking industry,healthcare industry,and industries handling childrens information,among others.They thus serve as a relia
116、ble framework for designing a privacy program even while the legal goalposts and guardrails for that framework are still under construction.Following these principles will go a long way in protecting against complaints from individuals or regulators.Key practical steps to implement these principles
117、include:17NAVEX CCPA adopted pursuant to the California Privacy Rights Act of 2020(CPRA).Businesses subject to the CCPA will have significant work to do to ensure compliance with those regulations,the enforcement of which is scheduled to commence in the third quarter of 2023.As noted,until January 1
118、,2023,the CCPA exempted from most of its requirements personal information about employees and B2B contacts.Until late August 2022,it was widely anticipated that the California legislature would extend these exemptions.Given these expectations,and because the other four states consumer privacy laws
119、contain permanent exemptions for such information,many companies have designed their privacy programs specifically to protect the personal information of consumers with whom they deal on a personal or household basis.Adjusting to the CCPAs new scope covering employee and B2B contact information as w
120、ell will be a challenge for these companies.In addition,both under the new CCPA regulations and other states privacy regimes,businesses will need to grapple with restrictions on,among other things:Uses and disclosures of“sensitive personal data”(as defined in varying ways)“Sales”of personal data Sha
121、ring of personal data,including online tracking information,for certain advertising purposesCollection of personal information of minors The specifics of these restrictions,and the requirements for implementing methods for consumers to opt-in or-out of these types of processing of personal informati
122、on,may be similar across certain states,and can be handled in a uniform manner,but they will not be uniform across all states.Again,this underscores the need for a flexible posture with a focus on areas of highest risk.Data transfers-the new EU-U.S.Data Privacy FrameworkA new EU-U.S.transatlantic da
123、ta flow agreement is expected to be finalized by the spring of 2023.The EU-U.S.Data Privacy Framework will enable the flow of personal data from data exporters in the EU to data importers in the U.S.who have signed up to the agreement.The Framework offers a flexible alternative to the European Commi
124、ssions Standard Contractual Clauses(SCCs)and Binding Corporate Rules(BCRs),which multinationals with a presence inside and out of the EU must otherwise use to share personal data(absent some small exceptions).The European GDPR prohibits the transfer of personal data to third countries that do not gu
125、arantee an adequate level of data protection.Third countries are countries outside the European Economic Area.The 18NAVEX European Commission declared a small number of third countries,such as Switzerland,Canada and Argentina as guaranteeing an adequate level of data protection.Such an adequacy find
126、ing means personal data may be freely transferred from EU Member States to the adequate third country.However,the transfer of personal data to third countries which have not been granted an adequacy finding(such as the U.S.)is prohibited,unless appropriate safeguards have been implemented.Currently,
127、the main appropriate safeguards are SCCs and BCRs,which may be onerous to implement or expensive and time consuming,respectively.More flexible data transfers were available in the form of the Privacy Shield and the Safe Harbor scheme,which were invalidated following the Schrems II and Schrems I deci
128、sions in 2020 and 2015 respectively.Multinationals will welcome the EU-U.S.Data Privacy Framework,which offers a business-friendly alternative to facilitate transatlantic data sharing.In October 2022,U.S.President Biden signed an executive order,which mandates legal safeguards over U.S.security agen
129、cies use of EU citizens personal data.This is a critical and long-awaited next step in the progress of the EU-U.S.Data Privacy Framework.Following the U.S.s move,the European Commission will need to make an adequacy finding,which could take as long as six months.If and when it does take effect,the F
130、ramework would operate as a replacement for the Privacy Shield.However,Max Schrems,founder of privacy non-profit NOYB,already expressed reservations regarding the level of protection guaranteed by the EU-U.S.Data Privacy Framework and a third challenge seems inevitable.If Schrems third challenge rep
131、eats his earlier successes,multinational businesses access to a flexible EU-U.S.data transfer solution may be short-lived.Only time will tell,as this plays out over the course of 2023.UK/EU divergence the data protection and digital information billIn the Queens Speech of May 2022,the British govern
132、ment announced its intention to reform U.K.data protection law.The government previously expressed its desire to take advantage of Brexit to realize the apparently conflicting aims of creating a more business-friendly data regime that promotes growth and innovation,while continuing to protect indivi
133、duals privacy rights.The draft Data Protection and Digital Information Bill was published in July 2022,in an effort to realize the governments intentions.Notwithstanding the governments ambitious claims,the bill amounted to little more than an evolution of the existing U.K.GDPR,rather than a radical
134、 overhaul.However,the changes the bill would have introduced regarding international data transfers potentially threatened the U.K.adequacy decision the European Commission made in June 2021.The adequacy decision enables the free flow of personal data between the EU and the U.K.following Brexit.The
135、European Commission may withdraw the decision if the U.K.data protection regime diverges too far from European data protection standards.Such a withdrawal would mean that organizations in EU member states would be prohibited from sharing personal data with the U.K.,which would be costly and disrupti
136、ve for multinational businesses with a presence in the U.K.and the EU.19NAVEX The draft Data Protection and Digital Information Bill looks set to make further progress,following the November announcement at the International Association of Privacy Professionals(IAPP)Congress 2022 in Brussels by DCMS
137、 deputy director Owen Rowland that the latest consultation on the Bill will commence shortly.The need for reform is questionable;while the U.K.GDPR may not be perfect,it is fit for purpose in striking a reasonable balance between protecting individuals rights and businesses interests.The British gov
138、ernment may dismiss the GDPR as overly unfriendly to business goals for data use.Yet,it seeks to give individuals choice and control over how their personal data is used and imposes heavy penalties on organizations that fail to abide by the rules.If the U.K.government pushes ahead with its proposed
139、reform,resulting in a U.K.data protection regime that fails to meet European standards,leading to a revocation of the U.K.s adequacy finding,companies will face a much-increased burden to enter into an appropriate data transfer solution,as well as carry out a transfer risk assessment,for transfers f
140、rom the EU to the U.K.The inevitable costs to businesses are likely to absorb at least some of the purported savings(or increased revenues from new data uses)the new legislation would make.Whether the British government will press ahead with its proposed reform remains to be seen,so the best advice
141、to multinational businesses is to watch this space.2023 predictionAs noted,in recent years the U.S.Congress has consideredbut failed to passvarious forms of federal privacy legislation.The new Congress taking over in 2023 is not likely to put a significantly new face on the prospects for passage of
142、federal privacy legislation.Regulated entities therefore would do well to focus on the trends in the states,as well asthe anticipated FTC rulemaking and the agencys ongoing privacy enforcement actions under section five of the FTC Act.The European Commissions adequacy determination concerning the EU
143、-U.S.Data Privacy Framework is expected imminently;whether or not it survives the almost inevitable Schrems III challenge remains to be seen.Meanwhile,U.K.businesses that trade internationally may well be hoping that the government sees sense and leaves well enough alone,rather than risking the U.K.
144、s adequacy decision and the free-flow of data with Europe.20NAVEX About The AuthorsJames Castro-Edwards|Counsel,Arnold and PorterJames Castro-Edwards provides counsel on global data protection compliance projects for multinational companies,advises on data protection issues,and helps companies respo
145、nd to data breach situations.He represents a broad range of clients including financial,media and technology organizations,and medical device and pharmaceutical companies.In addition to advising clients on data protection issues,Mr.Castro-Edwards has created innovative data protection support,audit
146、and training programs for clients.Earlier in his career,Mr.Castro-Edwards was in private practice and served as a solicitor in the data protection group at PwC Legal.He is widely published in a variety of titles,a regular public speaker on data protection issues and wrote the textbook on the EU Gene
147、ral Data Protection Regulation(GDPR)for The Law Society.Nancy Perkins|Counsel,Arnold and PorterNancy Perkins focuses her practice on regulatory compliance and consulting on emerging policy issues,with a principal focus on data privacy and security and electronic transactions.Ms.Perkins regularly adv
148、ises clients on compliance with a wide range of data protection requirements at the federal and state levels,including rules applicable to online communications and transactions as well as all types of uses and disclosures of medical,financial,and other sensitive personal information.She assists cli
149、ents in structuring their activities,online service offerings,and privacy policies to comply with applicable laws and best practices,taking into account technological and intellectual property issues associated with the expansion of electronic commerce and Internet activities.Among other laws,Ms.Per
150、kins frequently provides counsel on the Health Insurance Portability and Accountability Act(HIPAA),the Health Information Technology for Economic and Clinical Health Act,the Gramm-Leach-Bliley Act,the Fair Credit Reporting Act(as amended by the Fair and Accurate Credit Transactions Act),the federal
151、E-Sign Act,the Childrens Online Privacy Protection Act,and the Video Privacy Protection Act,as well as state privacy,security,data breach notification,and electronic signature laws.21“For companies doing business in the U.S.,this multifaceted privacy law environment can seem daunting.As is the case
152、with most major challenges,a framework for formulating fundamental principles can help make compliance and data strategy more manageable.”NAVEX BY:MICHAEL VOLKOVCEO,The Volkov Law Group,LLCAn uptick in sanctions activity dominated the global compliance landscape in 2022.Precipitated in large measure
153、 by the invasion of Ukraine by the Russian Federation,sanctions have re-emerged as a primary means of facilitating foreign policy objectives,including a coordinated international response designed to cripple the Russian Federations military-industrial capacity.These sanctions range from substantial
154、new additions to the Specially Designated Nationals and Blocked Persons List(SDN List)maintained by the U.S.Department of the Treasurys Office of Foreign Assets Control(OFAC)to robust new export controls maintained by the U.S.Department of the Commerces Bureau of Industry and Security(BIS).In additi
155、on,foreign jurisdictions principally the United Kingdom and European Union have leveled their own punitive measures against Russian oligarchs and industry for their complicity in the Ukraine conflict.Among other things,these restrictive measures include travel bans,financial prohibitions,export rest
156、rictions,and asset seizures.In the third-party risk management context,risk-based due diligence of an organizations business partners including,but not limited to,its suppliers,vendors,distributors,agents,service Third Party Risk in the Era of Sanctions Enforcementproviders,and other intermediaries
157、is part and parcel of mitigating the risk of incurring liability under international sanctions regulations.While the breadth and depth of such due diligence varies considerably based on factors like jurisdiction,industry,and third-party role,the common aim of all such inquiries is to ensure that the
158、 organization has insight into the operations and ownership of the due diligence target.Where companies lack such information,the risk of violating sanctions regulations is considerable,as such laws often target both designated entities and individuals with a majority ownership stake and/or substant
159、ialcontrol over“blacklisted”organizations.Complying with OFAC sanctionsForemost among the global sanctions regulations organizations should be cognizant of are those enforced by OFAC.Long considered the most aggressive and far-reaching sanctions leveled by any jurisdiction,sanctions imposed by OFAC
160、pursuant to both congressional mandates and presidential directives target myriad countries,regions,industries,entities,and individuals deemed to be participating in activities contrary to the national security or foreign policy objectives of the United States.Under selective sanctions targeting the
161、 RussianFederation that were broadcast this year,OFAC imposed a series of incrementally more aggressive prohibitions that now forbid virtually any new investment by U.S.persons in debt or equity 23NAVEX of RussianFederation-based companies and the importation of crude oil and petroleum products of s
162、imilar origin.In a new development coincident with the publication of this report,OFAC recently expanded the applicability of its Russia sanctions to encompass even ancillary activities that implicate the maritime transportation of Russian Federation-based crude oil below a predetermined price cap s
163、et by the United States and its allies.The intended effect of OFACs recent action is to further constrain the ability of Russia to export energy products abroad,thereby reducing the critical revenue that the Putin regime relies on to fund its ongoing Ukraine excursion.While the sheer complexity of s
164、anctions leveled against the Russian Federation on its own warrants additional attention by the compliance functions of organizations,the threat of aggressive enforcement activity by the U.S.Department of Justice raises the stakes even further.As Deputy Attorney General Lisa Monaco emphasized in Jun
165、e of this year,sanctions“are the new Foreign Corrupt Practices Act,”alluding to the fact the DOJ is prioritizing enforcement of sanctions evasion activity to a much greater extent than in the past.As Monaco emphasized in the context of her remarks,the DOJ has dedicated significant investigatory and
166、prosecutorial resources to enforcing Russian sanctions regulations,including creating a new task force dubbed“Task Force KleptoCapture”to prosecute intentional violations of U.S.sanctions regulations by Russian oligarchs.Monaco made it clear the DOJ would pursue such cases with“unprecedented intensi
167、ty,”and explicitly cautioned all businesses with international exposure to take the issue of sanctions compliance more seriously.Staying ahead of third-party sanctions riskIn such an era of heightened enforcement,it is imperative that all businesses with potential ties to Russia however remote adopt
168、 appropriate policies,procedures,and internal controls with the aim of advancing sanctions compliance as a signature operational concern.To the extent an organizations third-party due diligence program is lacking in any way,organizations should act swiftly to identify those deficiencies now,and devo
169、te appropriate resources to remediating them before a sanctions violation arises.For instance,to the extent a company still relies on periodic manual screening of international sanctions lists to ensure its third-party partners remain compliant,such companies should plan on transitioning to automate
170、d screening utilizing a reputable sanctions screening solutions provider.Because sanctions regulations are subject to frequent change,organizations accustomed to more ad hoc,manual screenings are likely to find that their current third-party screening practices are insufficient to meet emerging regu
171、lator expectations.As one recent enforcement action demonstrated,even a modest interval between periodic manual screenings can result in significant violations of sanctions regulations.Further,companies that have implemented automated sanctions screening should be cognizant that not all sanctions ac
172、tivity is list based.In some instances,international sanctions regulations prohibit companies from engaging in specified conduct.For example,furnishing maritime transportation services,engaging in certain financial transactions,etc.In these circumstances,more in-depth due diligence is required to en
173、sure that the underlying activity itself is not prohibited by law.Companies that lack a protocol for a more in-depth examination of third-party partners for sanctions risk should consider implementing one now.If internal 24NAVEX resources are insufficient,the company should consider outsourcing its
174、enhanced due diligence activities to a reputable compliance solutions provider or law firm.While due diligence itself is not an absolute guarantee that a sanctions violation will not occur,companies that can demonstrate a good faith,consistent effort to comply with sanctions regulations are the most
175、 likely to benefit from leniency in any criminal,civil,or administrative proceeding.2023 predictionAs mentioned above,sanctions enforcement activity remains a core priority of DOJ senior leadership.This emphasis is unlikely to shift anytime soon,as the Russian Federations Ukraine incursion remains i
176、n full force.As a consequence,ethics and compliance professionals are charged with acquainting themselves with the basics of applicable sanctions regulations both domestically and internationally as they pertain to the operations of their respective organizations.Moving forward,any transactions with
177、 even the slightest Russian Federation nexus should be subject to scrutiny.Moreover,as sanctions regulations are subject to frequent change,organizations that lack automated continuous screening of their third-party relationships should intend on devoting resources to that effort now.More importantl
178、y,organizations that lack a process for a more enhanced analysis of the sanctions risk involved in sizable transactions should plan on allocating resources to this effort going forward.About The AuthorMichael Volkov|CEO,The Volkov Law Group,LLCMichael Volkov,CEO of The Volkov Law Group,PC,is a recog
179、nized expert in anti-corruption enforcement and defense,internal investigations,ethics and compliance,and white-collar defense issues with over 30 years experience in practicing law.Mr.Volkov served for 17 years as an assistant U.S.attorney in the District Columbia and has served on the Senate and H
180、ouse Judiciary Committees as the chief crime and terrorism counsel to the respective chairmen.He also served as a deputy assistant attorney general in the Office of Legislative Affairs of the U.S.Department of Justice and as a trial attorney in the DOJs Antitrust Division.He also maintains the award
181、-winning legal blog Corruption,Crime&Compliance.25“Because sanctions regulations are subject to frequent change,organizations accustomed to more ad hoc,manual screenings are likely to find that their current third-party screening practices are insufficient to meet emerging regulator expectations.”NA
182、VEX BY:MATT KELLY,CEO,Radical ComplianceAs compliance officers enter 2023,they need to learn how to handle a double-edged sword:the Justice Departments new requirement that as part of corporate misconduct resolutions,CCOs must certify the effectiveness of their compliance programs.If you wield that
183、sword correctly,certification requirements could be quite useful.They will force compliance officers and CEOs to think seriously about what an effective compliance program for their corporation should be able to do and then to marshal the necessary resources to bring that plan about.Mishandle the sw
184、ord,however,and you might end up skewered.What happens if you and the CEO disagree about the state of your compliance program?What data will you need to collect(from across the enterprise and your third parties)to satisfy the expectations of the Justice Department?Could CCOs face personal liability
185、if their certifications dont hold up?Thats the challenge now facing compliance officers.Youll need deft moves and skill to prevail.New Expectations of Executive Leadership How Will You Prove and Certify Your Program Works?The logic behind CCO certificationsFirst,we should step back and remember prec
186、isely what the Justice Department has done,and why.The requirement is that chief compliance officers and their CEOs will both need to certify at the end of a deferred-or non-prosecution agreement that the companys program“is reasonably designed and implemented to detect and prevent violations of the
187、 law and is functioning effectively.”So said assistant attorney general Kenneth Polite when he announced the requirement last May.The intentions behind program certification are laudable,at least.By forcing the chief executive and the CCO to certify the effectiveness of the compliance program,that a
188、ssigns accountability to those executives.It drives the importance of a culture of compliance up the companys priority list,ideally to the top.Compliance program certification also helps the Justice Departments broader effort to crack down on recidivist corporate misconduct and nurture a greater app
189、reciation of corporate compliance.Those CEOs who might need to certify their program also tend to sit on the boards of other companies;that helps to spread the message in corporate boardrooms that strong compliance programs matter.Moreover,when the CEO and CCO have to sign their names to a certifica
190、tion under penalty of perjury,that does tend 27NAVEX the company declines?When do you quit,rather than oversee a compliance program you believe to be substandard?It will be years before compliance officers have answers to all those questions,but even now,at the start of 2023,we can start to answer s
191、ome of them.Get better data,run better programs The immediate answer is that compliance officers need to work on building an effective compliance program in the first place,and then document why your program is indeed effective.Thats what the Justice Department will want to see if your company ever
192、faces a government investigation:evidence that the program was designed thoughtfully and works as intended.In that case,several specific capabilities become even more important:Risk assessments.Youll need to be able to identify new regulatory requirements and changes to your own companys operations,
193、and do so swiftly.Youll also need the ability to test compliance controls.Key performance indicators for the compliance program.Youll need relevant KPIs,and an ability to track changes in those KPIs over time.Data analytics.This isnt simply about collecting data(from multiple parties,in multiple for
194、mats).Youll also need some way to turn that data into meaningful insights about program weaknesses,problematic transactions,risk exposure,and the like.Third-party due diligence and monitoring.Third-party risk became an even more pressing issue in 2022,after Russia invaded Ukraine and the West respon
195、ded with sweeping,fast-moving sanctions against Russian persons.More broadly,as third parties play ever larger roles for corporate to focus the mind.Compliance officers and chief executives alike will want to convey the importance of effective compliance throughout the whole enterprise,and build the
196、 systems,policies,and controls necessary to meet that standard.So,one can see why,from the Justice Departments perspective,compliance program certification is a compelling idea.From the compliance officers perspective,of course,things look quite different.Facing new problems and perilsThe primary qu
197、estion for compliance officers is obvious:What happens if you certify that your program is“reasonably designed and functioning effectively,”and the company subsequently suffers a compliance failure anyway?Right now,we dont know.The Justice Department only began imposing certification requirements in
198、 2022.It might be years before an erroneous certification comes to light and when it does,the Justice Department will evaluate that case based on the specific facts at hand.Compliance officers wont have that luxury.Youll need to certify your program without knowing what future scenarios might prove
199、you wrong.Meanwhile,compliance officers will face other,more practical headaches along the way.If you and the CEO disagree over the health of the compliance program,who settles that dispute?If you join a company in the middle of a DPA or NPA,can you review or even redesign the pre-existing complianc
200、e program,if you believe it isnt up to standard?Can you ask for directors and officers insurance to protect you from possible legal costs?What if 28NAVEX organizations,your ability to manage their compliance risks will become even more crucial.Internal accounting controls.Weak accounting controls ar
201、e a perennial source of FCPA risk.Companies need to assess whether documentation and approval controls for high-risk payments are sufficiently strong,and for each transaction they need to confirm that employees follow the rules.Aside from those program-specific needs,theres a larger issue here.Compl
202、iance officers will also need to forge stronger relationships with the CEO and the board.After all,the CEOs signature will be next to yours on the certification forms,and the board is the ultimate source of authority for the organization.In a roundabout way,certification requirements could help prop
203、el your compliance program up the maturity curve,since CCOs should(ideally)have more influence with senior management.You can then reorient corporate priorities toward that stronger culture of compliance.The good news is that most CEOs and boards already value a strong culture of compliance,at least
204、 in theory;and most other senior executives do too.In 2023 and beyond,chief compliance officers will need to leverage that abstract enthusiasm into demonstrable,vocal,tangible support for the compliance program.Then,with luck,we wont need to worry about what happens to a CCO who signs a certificatio
205、n form that later proves invalid,because youll have that reasonably designed and effective compliance program in place.2023 predictionWe wont see a lot of chief compliance officers certifying the effectiveness of their compliance programs in 2023,but only because the Justice Department settles only
206、a relative handful of cases in any given year.Compliance officers will,however,need to have more frank conversations with their boards and senior management teams about investing in their compliance programs because CCOs unease about personal liability for program failures wont be going away.Complia
207、nce officers will need to think long and hard about how to assess risk and measure the effectiveness of their programs;and what their red lines will be for when they leave a job rather than participate in burying a compliance failure.About The AuthorMatt Kelly|CEO,Radical ComplianceMatt Kelly is edi
208、tor and CEO of Radical Compliance,a blog and newsletter that follows corporate governance,risk,and compliance issues at large organizations.He speaks and writes on compliance,governance,and risk topics frequently.29“Compliance officers and chief executives alike will want to convey the importance of
209、 effective compliance throughout the whole enterprise,and build the systems,policies,and controls necessary to meet that standard.”NAVEX BY:KRISTY GRANT-HARTCEO,Spark Compliance ConsultingShockwaves hit publicly traded companies in March of 2022 when the SEC announced its proposed rule that would re
210、quire public companies to include certain climate-related disclosures in their annual reports and registration statements.But now,thanks to the Supreme Courts decision in West Virginia v.EPA,those new rules and many others are seriously in question.Recently,the Supreme Court has played a bigger and
211、bigger role in shaping regulatory and compliance outcomes.Since 2018,when the Court unanimously held in Digital Realty Trust,Inc.v.Somers that internal whistleblowing did not qualify individuals to the Dodd-Frank protections against retaliation,the courts reach has become larger.What happened in Wes
212、t VirginiaOver three presidential administrations,the EPA went back and forth with its Clean Power Plan,which was created to limit greenhouse gas emissions from power plants.The plan required increasing the use of cleaner energy like solar and wind and reducing the use of coal.The state of West Virg
213、inia and several other parties sued to block the regulations.This Supreme Court Case Will Reverberate Throughout the Compliance and ESG WorldThe Supreme Court took up the case and ruled in June 2022 that the EPA had overstepped its remit by enacting a sweeping regulatory scheme beyond that which had
214、 been authorized by Congress.They focused on the“major questions doctrine,”which,in a nutshell,says that when there is a question of“vast economic and political significance,”an administrative agency must identify a clear legislative statement made by Congress granting the agency the authority to us
215、e regulation to answer the question.Since Congress had made no such grant to the EPA to regulate the specific use of various types of energy,the Clean Power Plan could not be enforced.Why this matters to compliance and ESG practitionersAlthough this is the first time the major questions doctrine has
216、 been specifically relied upon,it follows a long list of cases upon which the core principle relies.This includes,notably for compliance practitioners,the decisions relating to the Occupational Safety and Health Administrations(OSHA)attempted COVID-19 vaccine mandate.The major questions doctrine can
217、,and will likely,undermine many proposed or contemplated regulatory schemes.The West Virginia ruling sets the scene for court fights that may reign in the power of 31NAVEX Regardless,the major questions doctrine will likely be used to challenge the SECs final set of rules governing climate change di
218、sclosure.The Courts West Virginia opinion states that congressional authorization is required for an agency to regulate matters of great political or economic significance.Climate change is most certainly a matter of great political significance,and companies have been publicly decrying the cost of
219、implementing the proposed disclosure rules since they came out.Absent a grant of specific power to the SEC to regulate climate disclosures,petitioners may be successful in their challenge.Congress has,thus far,not tasked the SEC with regulating climate change disclosures,and the divided house and se
220、nate are unlikely to do so in the upcoming term.Its not just the climate change disclosuresBecause the major questions doctrine applies to all federal agencies,other potential regulatory schemes may be challenged.After the recent collapse of the FTX cryptocurrency exchange and the resulting loss of
221、over a billion dollars in customer funds,calls for the regulation of the cryptocurrency industry have grown louder.However,Congress has not tasked any administrative agency with tackling the problem,and therefore,under the major questions doctrine,until that happens,it may be argued that no agency h
222、as enforcement capacity.Likewise,other regulations may be called into question.One law firm wrote that,in addition to cryptocurrency oversight,“other blockchain products,capital market regulations,FTC oversight,and antitrust and competition law”may be challenged in court using the major questions do
223、ctrine.administrative agencies,especially when the agencys remit does not traditionally cover the area of regulation.The ruling goes well beyond the EPA.It affects all federal agencies and provides a potent tool for petitioners to argue against administrative actions.These cases will lead to compani
224、es and compliance programs being stuck in limbo awaiting final answers from the court.Whats worse?Some judges may stay the regulations while the cases work their way through the courts.Others may not,which means that the regulations may be in force for some time,while compliance and ESG practitioner
225、s wait to see whether the regulations will hold up in the long term.Why the SECs proposed disclosure rules are in questionCritics argue that the SECs remit is to(1)protect investors,(2)maintain fair,orderly,and efficient markets,and(3)facilitate capital formation not to regulate climate change discl
226、osures.Of the SECs proposed rules,a Wall Street Journal opinion piece stated that“the proposal would convert the federal securities regulator into a greenhouse-gas enforcer looking over the shoulders of exchange-listed companies directors.”These critics state that the SECs mandate only focuses on re
227、gulating the materiality of financial disclosures,not climate change.The SECs position may be that,because so many investors care deeply about climate change,such disclosures are material to financial decisions.32NAVEX Congress may need to address how digital assets should be regulated,granting auth
228、ority to the SEC or some other agency.If it does not,arguments will continue to rage about whether the SEC or other agency would be overstepping their mandate if they create new schemes or laws to regulate that market.What about emerging threats?The West Virginia decision calls into question new sch
229、emes meant to regulate new technologies or emerging threats.For instance,if the next generation of technology invades privacy in a way not currently contemplated within the mandate of the FTC,does that mean that Congress will have to grant authority specifically over the technology in order to regul
230、ate it?Quite possibly.Global implicationsAmerican regulations arent the only game in town,of course.The SECs rules on climate change disclosure have pushed many American companies to ramp up their ESG efforts.However,slowing those efforts down due to Supreme Court action wont stop the ESG disclosure
231、 push from other parts of the world.According to the Harvard Law School Forum on Corporate Governance,“Those who wonder what tomorrows ESG regulation may be like should usefully turn to the EU,which has initiated significant reforms in this area for several years,most often based on the French model
232、.”The same is true for the cryptocurrency market.In October 2022,the European Union took a major step toward regulating cryptocurrency when the European Council approved the comprehensive Markets in Crypto-Assets regulation.While the vote in the European Parliament isnt expected until February 2023,
233、the regulation,nicknamed MiCA,is widely expected to pass.In its current form,it would require crypto companies such as wallet providers and exchange platforms to seek authorization from national regulators within the EU.What compliance officers should do nowAll of this uncertainty puts compliance of
234、ficers in a difficult place.To manage this challenge:Identify the regulatory schemes that are likely to be challenged:The first thing to do is to identify the regulatory schemes that are likely to be challenged,then determine if they affect your business.If they do,then Make a tentative plan:Look at
235、 the proposed regulation and make a plan to comply with it.See if you can find synergies between other laws applying to your company in other parts of the world.Let them guide your planning.Watch carefully:Many law firms put out alerts when the courts rule on significant regulatory matters or Congre
236、ss passes important regulations affecting businesses.Ask to be added to the lists of these firms so you are alerted to these changes.Pay attention to the rest of the world:When it comes to ESG,climate change,or privacy,look to Europe to guide your actions.Many European laws are,by design,meant to ca
237、pture a company selling into the European Union even if the company has no physical presence in the bloc.By following European laws,you are likely to find yourself in compliance with many American laws when they come into force.33NAVEX About The AuthorKristy Grant-Hart|CEO,Spark Compliance Consultin
238、gKristy Grant-Hart is the founder and CEO of Spark Compliance and the author of several highly-acclaimed books,including the best-selling How to be a Wildly Effective Compliance Officer.She has advised Fortune 100 companies on international compliance and has created,implemented,and revamped complia
239、nce programs for major companies in Europe and the United States.Kristy was honored as a Trust Across America Top Thought Leader in Trust.A powerful and inspirational public speaker,Kristy provides keynote presentations to organizations and conferences globally.Kristy has written for and been featur
240、ed in publications including the Wall Street Journal,Financial Times,Corporate Financier Magazine,Risk Universe Magazine and on the cover of Compliance and Ethics Professional Magazine.She is a former adjunct professor at Delaware Law School,Widener University,teaching Global Compliance and Ethics.K
241、risty was shortlisted for the Chief Compliance Officer of the Year award at the Women in Compliance Awards and was shortlisted again for the Compliance Innovator of the Year.Before launching Spark Compliance,Kristy was the chief compliance officer at United International Pictures,the joint distribut
242、ion company for Paramount Pictures and Universal Pictures in 65+countries.Kristy began her legal career at the international law firm of Gibson,Dunn&Crutcher,where she worked in the firms Los Angeles and London offices.While at Gibson Dunn,her team was nominated for Best Regulatory Law Firm of the Y
243、ear at Thomson Reuters Compliance Awards.Kristy graduated summa cum laude from Loyola Law School in California.She holds certification as a Corporate Compliance and Ethics Professional International(CCEP-I)and is a member of the California Bar.2023 predictionThe American regulatory landscape is like
244、ly to change in the wake of the West Virginia decision,but that doesnt mean the rest of the world will follow suit.We predict that if the SECs rules are finalized in line with what was previously published,they may be challenged in court under the major questions doctrine,which might hold them up fr
245、om being implemented or require revision.Other regulatory schemes may be challenged using the same grounds,which will cause uncertainty in the compliance and ESG world while the courts sort out which regulatory schemes can stay in place or be implemented.Pay attention,make a plan,and always follow t
246、he path of ethics and integrity to have a strong,defensible,and sustainable compliance program.34“Pay attention,make a plan,and always follow the path of ethics and integrity to have a strong,defensible,and sustainable compliance program.“NAVEX BY:COLIN ETNIREHead of ESG,BC PartnersWhen my private e
247、quity peers ask me how to handle ESG disclosures,my answer is typically,“dont let the tail wag the dog.”What I mean is,its better to proactively report on what you know to be the most material and substantive representations of actual ESG performance for your companies,before being prompted to do so
248、.In my experience,investors appreciate thoughtful,proactive disclosures,which saves them time issuing and chasing completion of proprietary forms;further,it engenders trust based on open and transparent communication of these key metrics and considerations.While regulators require a more structured
249、framework of reporting,I believe taking this proactive approach is still valid.Early movers in ESG disclosure will,at the very least,set themselves up better for inevitable regulation and made a head start,even if final requirements have a different total scope.Fundamentally,all of these disclosures
250、 serve the same purpose:to inform better investment decisions.The conversation around ESG has moved on significantly in recent years and it is no longer seen as mutually exclusive from strong returns.It is actually quite the opposite it is seen as an essential lens through which to consider investme
251、nt opportunities.In this context,the Staying Ahead of ESG Disclosures What to Expect and How to Prepareimperative to accurately inform your investors remains more important than ever.How disclosures are bornUnderstanding what informs disclosure obligations and how they evolve is essential in knowing
252、 how to approach them.In the early days of ESG taking root in the private equity and wider investment industry,individual actors collected and reported information they deemed appropriate.These were informed largely by the practices in the(slightly)more established corporate sustainability sector th
253、at developed in collaboration with academics and NGOs.ESG officers at the various private equity firms collaborated informally,creating some consensus,but without formal obligations.Prominent asset owners,who are the primary investors in private equity funds,put out questionnaires or data requests a
254、s needed.Their counterparties,as well as smaller actors,frequently adopted the same approaches in order to streamline their work and maximize market acceptance.Over time these informal collaborations became formal though still voluntary initiatives,notably the ESG Data Convergence Initiative(EDCI).T
255、hese initiatives tend to be based on a set of key performance indicators(KPIs)deemed most essential and widely applicable,and were agreed across market actors through a consultation process.Processes like these 36NAVEX have fed into the formal regulatory rulemaking across industry that has produced
256、legislation such as the EU Sustainable Finance Disclosure Regulation(SFDR).The EU SFDR includes a similar set of“converged”KPIs as the EDCI.In time,the different regional standards will revise themselves to become more interchangeable to make business easier for multinationals.How to predict the fut
257、ureThe good news for your business is these convergences are not unpredictable;the requirements that win out generally come from good sense and can therefore be identified well ahead of time.In anticipation of what a business will be required to report,the following are helpful considerations:What i
258、ssues are of generally universal interest,particularly within your industry?What issues are relatively easy to quantify in a substantive way?What issues have existing formal(voluntary or regulatory)initiatives in place globally?Assuming an issue has been identified,is there a manner of tracking it t
259、hat reflects the realities of a business?Greenhouse gas(GHG)accounting is a very straightforward example of the above.Its of universal interest across all industries,its easy to quantify substantively,a large body of organizations already govern its disclosure,and accommodations to reflect business
260、realities(such as reporting intensity metrics rather than absolutes)are well accepted.Taking a narrower example,in food and cosmetics supply chains,sourcing of palm oil is an important issue since it is linked to significant environmental degradation and other issues.While on the surface this degrad
261、ation may seem difficult to quantify,the fact that a voluntary framework already exists,the Roundtable on Sustainable Palm Oil(RSPO)allows for a percentage of RSPO-certified procurement to be reported.Another factor to consider is that many who oversee ESG initiatives are not necessarily experts in
262、the area.However,the good news is developments are not unpredictable if you keep your ear to the ground.Look back to the description of how disclosures typically are born:the early stages involve academics and NGOs.So,following media on particular topic areas will surface issues well ahead of time.T
263、hen,as practitioners begin discussing it,it will crop up in trade publications and conferences.ESG matters such as climate change and diversity,equity,and inclusion(DEI)dominated agendas before they ever hit regulations.Around this point,you will begin to see formal requests from investors,customers
264、,employees,NGOs,or other groups about the area,making the need for reporting on these topics very clear.By the time regulators begin discussing this,in what are typically lengthy rulemaking processes,you still have significant runway to prepare before youre required to formally report.How to prepare
265、When you identify areas of increasingly urgent interest,keep in mind the adage“progress should not be the enemy of perfection.”Its always better to collect and report some information than none in this field as long as its represented accurately.GHG accounting is an infamously opaque exercise compar
266、ed to its financial accounting cousin.However,while it does lean heavily on assumptions,using imprecision as an excuse to report nothing at all is much worse,both from a financial and environmental perspective.37NAVEX Second,ensure access to adequate expertise on the topic area.While this may seem d
267、aunting at first glance,it doesnt necessarily mean hiring an army of new employees.Frequently,existing employees already work on the topic and have quite a bit of knowledge,and simply need a bit of guidance for how to convert that knowledge into a useful ESG disclosure.For example,HR professionals a
268、lready live the day-to-day of DEI,and already frequently collect and report demographic information.Another example is the access to ESG reporting metrics such as energy consumption,which is typically already available to facilities personnel and needs to be consolidated in a more formalized fashion
269、.For more resource-constrained organizations,an outside consultant can be used to steer what specific ESG areas ought to be tracked and what measures need to be implemented,in lieu of hiring an entire team dedicated to ESG.Third,pick a framework that makes sense for your business and commit to it,re
270、gardless of what you think the future may hold.For example,biodiversity is an incredibly hot topic on the conference circuit at the moment and has essentially no universally accepted definitions or assessment frameworks,despite the fact the EU requires disclosures in its SFDR.As such,youll need to l
271、ook at what others are doing and pick a framework that is a good fit for your organization.In this example,perhaps you have a Europe-based business and define a biodiversity sensitive area as a Natura 2000 space(EU-defined wildlife conservation area).You then use a spatial tool to look up if any of
272、your operations are present in any of those areas and report the percentage that are.Perhaps you accidentally got it exactly right and predicted what would later become the regulation.But even if you dont,you have investors appreciative of your proactive disclosures that still provide useful informa
273、tion and are likely material to your business,even if youre not required to report on them.In the best-case scenario,your proactive leadership can encourage other market participants to adopt the same approach.ESG disclosures do not have to be intimidating or burdensome.Imperfect disclosures now wil
274、l help you comply with stricter and more complex regulations when they come down the road.The ESG field is relatively new and will mature in the years to come.Stay on the front foot,do not worry about heading in precisely the right direction,and simply start moving.2023 predictionFor companies of an
275、y size,GHG accounting will become as normal and universal as financial accounting.Further,companies will realize(at least for Scopes 1 and 2)this accounting actually isnt particularly difficult.I also predict that biodiversity will finally get more widely accepted definitions of what constitutes bio
276、diversity sensitive areas,and what basic procedures or resources can help assess businesses for their impact on them.About The AuthorColin Etnire|Head of ESG,BC PartnersColin Etnire joined BC Partners in 2020 as its Head of ESG and is based in the firms New York office.Previously,Colin spent four ye
277、ars at The Carlyle Group as ESG Analyst,reporting to the chief sustainability officer,helping to implement an ESG program across Carlyles platform.Prior to this,he worked for the New Hampshire Democratic Party and interned at the White House.38NAVEX is trusted by thousands of customers worldwide to
278、help them achieve the business outcomes that matter most.As the global leader in integrated risk and compliance management software and services,we deliver our solutions through the NAVEX One platform,the industrys most comprehensive governance,risk and compliance(GRC)information system.For more information,visit NAVEX.com and our blog.Follow us on Twitter and LinkedIn.AMERICAS5500 Meadows Road,Suite 500Lake Oswego,OR 97035United States of A+1(866)297 0224EMEA+APAC4th Floor,Vantage LondonGreat West RoadBrentford,TW8 9AGUnited K 8939 1650COPYRIGHT 2023 NAVEX GLOBAL.ALL RIGHTS RESERVED.