1、Top 10 Risk&Compliance Trends for 2023A NAVEX EBOOKIntroductionSEAN THOMPSONThe Whistleblower Landscape Reporting Trend Changes May Compel Organizations �������to Reassess Their ProgramsJANE NORBERG,CARRIE PENMANThe Ne������xt Era of R&C Management:Data-Informed Decisions Through Digital TransformationA.G.LAMBER
2、TEU Whistleblowing Directive Trends in Transposition and AdoptionMARK ROBERTSONPrivacy in 2023 What ������to Expect and How to PrepareJAMES CASTRO-EDWARDS,NANCY PERKINSAddressing Risk,Compliance&Integrity in the Extended EnterpriseMICHAEL RASMUSSENThird Party Risk in the Era of Sanctions EnforcementMICHAE
3、L VOLKOV New Expectations of Executive Leadership How Will You Prove and Certify Your Program WorksMATT KELLYJoining Forces with Learning and�������� Development Will Improve Ethics and Compliance Education INGRID������ FREDEEN,MEGAN TORRANCEThis Supreme Court Case Will Reverberate Throughout the Compliance and E
4、SG WorldKRISTY GRANT-HARTStaying Ahead of ESG Disclosures What to Expect and How to Prepare COLIN ETNIRETable of Contents368424853IntroductionIt is������� no secret that managing a truly effective governance,risk and compliance(GRC)program is challenging,and becoming more so every year.It starts
5、 with an increasingly compl������ex regulatory environment but does not end there.Successful leaders also understand that customers,employees,and other stakeholders will reward organizations for operating ethically and r�����eject those that do not.In short,leaders must recognize that operating with integrity
6、is just as important as complying with regulations.So�����,it is fitting these factors would inform NAVEXs Top 10 Trends in Risk and Compliance this year.With the twin pillars of regulations and integrity as guideposts,NAVEX consulted with industry experts including several of our own thought leaders to
7、compile this annu�������al assessme������nt.It delivers their best thinking about what GRC professionals and other leaders should consider and prepare for in 2023.With respect to regulations,the only constant is change.Sometimes the direction is clear,or at least consistent with expectations.For example,the foll
8、owing examination of the EU Whistleblower Directive lays out what is in place today,and what to expect as each EU country transposes.However,when it comes to the growing desire to codify environmental,social and governance(ESG)standards,we found the expect�����ations are far less clear,with more confusio
9、n than consensus.On the topic of busin����ess integrity,there are clear indicators that GRC professionals responsibility for maintaining a resilient,ethical corporate culture will intensify.Going forward,this will extend well beyond the organizations employees and faciliti�����es to include suppliers and oth
10、er business partners.The recognition that third-party risk is also your risk is accelerating.Our examination shows that successfu��������l GRC programs address this additional risk not just during the sup���������plier selection process,but continuously thereafter.Taken together,these trends show a growing focus on
11、regulatory compliance via creating a culture of integrity.This continued focus,and the ongoing chal�������lenges of meeting regulatory requirements,BY:SEAN THOMPSONPresident and CEO,NAVEX3NAVEX 4will undoubtedly elevate the Compliance function positioning ������the role as even more critical to an organizations
12、long-term success than ever before.But perhaps the most encouraging trend identified this year is the growing demand for mo��������re and better GRC data.This is driving a digital transformation in our industry.More organizations are using sophisticated GRC information systems to collect and analyze relevan
13、t data that helps inform decision making and achieve better outcomes.We expect this trend to continue for years to come.Finally,we expect that some of the trends identified in this report may contradict current assumptions,while �������others will confirm suspicions.Regardless,we hope this years guide will
14、 provide valuable insight for any and all GRC professionals dedicated to me�����eting the challenges ahead.On the topic of business integrity,there are clear indicators that GRC professionals responsibility for maintaining a resilient,ethical corporate culture will intensi��������fy.NAVEX “More organizations are
15、 using sophisticated GRC information systems to collect and analyze relevant data that helps inf������orm decision making and achieve better outcomes.W������e expect this trend to continue for years to come.”The Whistleblower Landscape Reporting Trend Changes May Compel Organizations to Reassess Their Programs6
16、Until recently,trends in whistleblower reports and behavior seemed to only break through into the news cycle when an extraordinary story made it into mainstream headlines.Now,reports of whistlebl������ower actions and payouts are more frequently making news,and regulations protecting whistleblowers contin
17、ue to take effect globally.First,while legislatively protected whistleblowing for certain types of issues has been in place in the U.S.for some time,the international regulato��������ry landscape is even more prescriptive than the U.S.on process and whistleblower protections.Ongoing global legislation,such
18、as the EU Whistleblower Directive,Japanese Whistleblower���� Protection Act,and the Australia Corporations Act,is impacting organi����zations processes to receive,investigate and follow up on reports.Keeping up with the new regulations is proving to be challenging,especially for organizations with multinati
19、onal operations.Second,tips to,and awards paid by,the Securities an������d Exchange Commission(SEC)Office of the Whistleblower are setting records and getting attention from both employee reporters and their organizations.Further,a growing industry of plaintiff-side whistleblower at�������torneys feeding tips to
20、 the SEC and other agencies is capturing the attention of those who believe they havent been heard internally or fear significant retaliation for rais����ing a concern.Add all of this to stresses and workplace changes resulting from the pandemic and remote work environments,and compliance programs are e
21、xperiencing a changing whistleblower landscape.The r�������ecent SEC Annual Report,and data from over 1.4 million reports annually to NAVEX systems,provide some insights to help organizations understand the changing whistleblower landscape both internally and externally and prepare them to adjust their pro
22、grams to address the changing landscape.External reporting trendsOn November 15,2022,the SEC Office of the Whistleblower issued its annual report for FY 2022.The same �������day,the SEC an����nounced its enforcement results for FY 2022,which highlighted the Office of the Whistleblower as“an integral part of th
23、e Enforcement Program,”and the whistleblower program as a critical tool in the SECs enforcement arsenal.Bo������th SEC reports reveal that whistleblower tips are an increasingly important source for SEC investigations and enforcement actions.BY:JANE NORBERGPartner,Arnold and Por����terCARRIE PENMANChief Risk
24、and Compliance Officer,NAVEXNAVEX 7Th�����e SEC reported receipt of 12,322 whistleblower tips in FY 2022.This was the largest number of tips received in any year in the history of the SECs whistleblower program,which was established in 2011 following the passag������e of the Dodd-Frank Wall Street Reform and C
25、onsumer Protection Ac������t.Du������ring the two prior fiscal years,there were dramatic increases in the number of tips received.From FY 2020 to FY 2021,there was a 76%increase in whistleblower tips received by the SEC,and FY 2022 yielded a similar number of reports as the previous year.The chart below illustr
26、ates this stark increase in reporting to the regulator.Although the reason for the increasing number of tips is not clear,one possible explanation is the prevalence of remote and hybrid working conditions that makes it easier for whistleblowers to gather evidence and repo�������rt out to the SEC such as ta
27、king screenshots of documents or emails.But even as many companies������� began to require a return to the office in some capacity,the number of tip��������s reported out to the SEC remained very high and may reflect a“new normal.”Global whistleblowing to the SEC regulatory action and trendsAs in prior years,the S
28、ECs whistleblower program continues to have a global reach.According to the FY 2022 Whistleblower Report,tips were received“from all over the world,”with the highest n���umber of foreign tips originating from Canada,the United Kingdom,Germany,China,Mexico,and Brazil.All told,the SEC received tips from
29、over 130 countries worldwide since the beginning of the program.Companies should consider that employees in international operations may be inclined to report out to th�����e U.S.regula�����tor if they do not believe action is being taken internally to address their concerns.Therefore,policies and procedures
30、around handling of internal reports need to encompa�������ss international operations as well.Whistleblowers report internally prior to reporting to SECIt is important to understand that most whistleblowers who received awards from the SEC first tried to raise their concerns internally or at the same time
31、as reporting to the regulator.In fact,according to the 2021 SEC Annual Report to Congress,“more than 75%raised their concerns internally to their supervisors,compliance personnel,or through internal reporting����� mechanisms,or understood that their supervisor or relevant compliance personnel knew of the
32、����� violations,”before reporting their information of wro����ngdoing to the commission.This represents a downward trend from 2020.Unfortunately,the SEC did not report this figure for 2022,however,historical information is illustrative of this trend.NAVEX 8NAVEX Large whistleblower awards equal large corpor
33、ate impactThe increase in tips may also be due to the very large whistleblower awards paid by the������� SEC.In FY 2022,the SEC awarded approximately$229 million in 103 awards.Over the life of the program,the SEC paid out over$1.3 billion in whistleblower awards.Of course,large whistleblower awards equate
34、to large corporate impact.Successful enforcement actions brought as ������a result of whistleblower tips yielded more than$6.3 billion in total monetary sanctions ordered since the beginning of the���� whistleblower program,including more than$1.3 billion during FY 2022 alone.The incentives for whistleblowers
35、 to report out potential misconduct remains high,as doe���������s the cost to companies based on external whistleblower tips.The SEC also announced a focus on large penalties to effectively punish and deter misconduct.They noted they will reward meaningful cooperation and remediation.Proper handling of an in
36、ternal tip from an employee is the first step towards potential remediation and cooperation credit.Conducting a thorough internal investigation and engaging i�������n appropriate remediation can help position a company to respond effectively to an enforcement investigation and minimize potential sanctions.
37、Internal reporting trendsRecent years have shown changes in internal reporting trends as well.For example,orga������nizations saw a continuous decline in anonymous ������reports before and during the pandemic,indicating employees are becoming more confident or emboldened to give their name.NAVEX reporting over
38、the last two years also shows th��������e profound impact of the pandemic and remote work on outcomes such as“The Great Resignation.”As of the end of 2021,internal reporting levels had not yet returned to pre-pandemic levels,yet,as described above,external reporting to the SEC has seen substantial growth.We
39、 expect to see internal reporting levels approach pre-pandemic levels when we publish the report for 2022.Noting that many compliance programs view hum�������an resource matters as“not compliance issues,”it may be time to raise the profile of these types of matters within the compliance program and partner
40、 closely with human resource teams who we know are already well-aware of the increase in mental health iss���������ues facing their organizations.201720182019 2020������ 20219NAVEX We also observe that issues related to workplace behavior and civility are increasing.In 2021,internal reports of retaliation nearly d
41、oubled.Reports about whistleblower retaliation have always been a small portion of the total,but they shot up from 0.9%in 2020 to 1.7%in 2021.Reports ����about harassment also rose(to 5.6%,an all-time high)as did reports about���� discrimination(to 4.7%).Taken altogether,these findings suggest employees are
42、 more attuned to workplace civility issues.That would fit with external trends such as more talk about systemic racism,income inequality and political divisions,as well as increasing protection for whistleblowers������ and employees awareness of those protections.Keyword searches of reporting data show th
43、at other social and political issues are becoming topics for internal reporting,too.For example,issues such as the war in Ukraine and economic concerns around inflation,������a potential recession,layoffs,stimulus,and student�������� debt forgiveness are on the rise.There is also a concerning increase in matters
44、of workforce sentiment and mental health �����found in the keyword searches including anxiety,depression,exhaustion,mental health,pressure,quiet quitting,and bullying cases.Internal reporting systems serve as an emotional lifeline in some cases.Noting that many compliance programs view human resource mat
45、ters as“not compliance issues,”it may be time to raise the profile of these types of matters within the compliance program and partner closely with human resource teams who������ we know are already well-aware of the increase in mental health issues facing their organizations.Addressing the changing lands
46、capeTo prepare for and address this changing landscape,organizations will need to test their mindset about reports and reporters(especially regarding anonymous reporters)as well as review their processes for managing cases.For example��������,the ongoing eco�������nomic conditions may lead to higher levels of anon
47、ymous internal reporting as employees fear retaliation for speaking up during periods of uncertainty.In our interactions with clients and customers,we continue to have conversat������ions about the value and credibility of anonymous reports and reporters.We stil�����l hear about cases where the primary focus i
48、s determining who an anonymous reporter is rather than focusing on the issue raised.NAVEX data shows anonymous reports are substantiated at a rate close to those of named reports,indicating that while these reports may be more challenging to manage,they are valuable to our������ organizations.Case closure
49、 time is another opportunity for review.The EU Whistleblower Directive sets out time limits for acknowledgement of cas�����e receipt and feedback to the reporter.We also know the directive places some We still �������hear about cases where the primary focus is determining who an anonymous reporter is rather tha
50、n focusing on the issue raised.NAVEX data shows anonymous����� reports are substantiated at a rate close to those of named reports,indicating that while these reports may be more challenging to manage,they are valuable to our organizations.10NAVEX contingencies on who can����� view or investigate a report,add
51、ing complexity to processes that likely already have limited resources available to address.This is a good time to assess capability����� to handle more pressure and more complex cases.A focus on ongoing communications with reporters as well as a reduction in case closure times will help to build trust i
52、n internal programs which,in turn,may help reduce external and anonymous reporting.One other program component worthy of attention is managing fear of,and prevent�����ing,retaliation.As noted earlier,cases of retaliation are on the rise.Yet,according to NAVEX survey results,retaliation prevention is not
53、a high-priority initiative for many organizations.The reasons for this disconnect are not clear as the purpose of much of the legislation we described earlier is to protect whistleblowers from retaliation.Indeed,the SEC recently filed an amended complaint against the CEO of a company �����for retaliating
54、 against an employee who raised conce��������rns within the company,and also for attempting to impede that employee from reporting to the SEC by cutting off their access to the companys IT system,among other things.Perhaps most concerning though,we expect to see continued growth in reporting of workplace ci
55、vility issues including harassment,discrimination and retaliation,as the stresses and pressures of the ongoing political and economic climate continue.O��������rganizations will also need to prepare for the internal reporting system to be used more often for social and personal mental health issues as the s
56、tress and exhaustio��������n of the last few years continue.While these may not all be,by definition,“compliance issues,”they certainly impact a culture of compliance.2023 predictionWhistleblo���wers(reporters)have shown in recent years they are more willing to take their concerns outside the organization if t
57、he issue is not addressed in a timely and appropriate way,as evidenced by the high levels of reporting to the SEC Office of the Whistleblower as well as the growth of social media sites like Glassdoor.With the potential for a recession in 2023,we ex�������pect to see continuing c�����hanges in trends for both i
58、nternal and external reporting.Further,as more countries pass legislation to protect whistle�����blowers,we expect to see a continuing shift in the number and types of reports that both organizations and external regulatory agencies receive.Particular attention is needed on retaliation prevention program
59、s.Now is the t��������ime to step back and take stock of the changing reporting and regulatory landscape.If not,we could see external reporting escalate as the first option for whistleblowers.Further,taking a more holistic view of����� the individuals we rely on to maintain,and report on,compliance will serve ou
60、r organizations well.11NAVEX About The AuthorsJane Norberg|Partner,Arnold and PorterAs the former chief of the Office of the Whistleblower at the Securities a�������nd Exchange Commission,Jane Norberg brings her extensive experience to help clients navigate regulatory,enforcement,governan������ce,and compliance
61、issues associated wit������h whistleblowers.As a former senior officer in the Division of Enforcement at the SEC and a former special agent with the United States Secret Service,Ms.Norberg also brings her unique background and insights to assist clients in bringing regulatory and governmental inquiries to
62、 a successful resolution.Ms.Norberg represents public and private companies,financial institutions,individuals,and investment advisors on sensitive whistleblower and other complex matters,including internal and SEC and other government inve�������stigations;response to and defense of specifi������c whistleblower
63、 allegati�������ons;securities enforcement and white-collar defense;whistleblower retaliation claims defense;proactive assessment and structuring of internal compliance mechanisms,polic������ies and procedures;training boards of directors,management and workforces on internal reporting and retaliation;and crisis
64、 management counseling to mitigate reputational risk.Ms.Norberg also conducts sexual harassment and other sensitive������ investigations and educates boards of directors and executives about emerging whistleblower programs such as the Anti-Money Laundering Act whistleblower program and NHTSA automotive wh
65、istleblower program.During M������s.Norbergs tenure at the SEC she joined the SEC in 2012 as deputy chief of the office and was appointed to chief in 2016 she helped develop and lead the SECs whistleblower program since near its inception.Under her leadership,the offices staff expanded and achieved a reco
66、rd-breakin�������g growth in both the number of whistleblower tips received and awards issued to whistleblowers under the program.Ms.Norberg has extensive experience and knowledge regarding whistleblower retaliation and is the leading expert on agreements that impede reporting in violation of Exchange Act
67、Rule 21F-17,having directly advised on all whistleblower protection cases brought by the SEC during her tenure.She advised senior SEC leadership on emerging whistleblower issues and policies,as well as reported to Congress regarding������� the programs activities.Ms.Norberg also had a substantial advisory
68、role related to the amendments to the SECs whistleblower rules and has advised ot������her domestic and international regulators related to the development of new whistleblower programs.While at the SEC,Ms.Norberg also co-led a diversity and inclusion initiative across the Division of Enforcement.Carrie P
69、enman|�������Chief Risk and Compliance Officer,NAVEXAs chief risk and compliance officer for NAVEX,Carrie leads the companys formal risk management processes.She also oversees its internal ethics and compliance activities employing many of the best practices that NAVEX recommends to its customers.Carrie ha
70、s extensive client-facing risk and compliance consultin�������g experience,including more than 15 years as an advisor to boards and executive teams;most recently ������as NAVEXs SVP of Advisory Services.She has also served as a corporate monitor and independent consultant for companies with government settlement
71、 agreements.Carrie was a�����warded the inaugural Lifetime Achievement Award for Excellence in Compliance 2020 by Compliance Week magazine.In 2017,Carrie received the ECIs Carol R.Marshall Award for Inn����ovation in Corporate Ethics for an extensive career contributing to the advancement of the ethics and c
72、ompliance field worldwide.“To prepare for and address this changing landscape,organizations will need to test their mindset about reports and reporters(especially regarding anonymous reporters)as well as review their proc������esses for managing cases.”13The term“digital transformation”has been a topic of
73、 conversation for decades as organizatio������ns continue their path to modernization and optimization.This transformation is indeed a journey,including migration to cloud-based infrastructure,shoring up �����cybersecurity measures,implementing software solutions to provide valuable insights,and more.As digita
74、l transformation continues,it is no surprise that the most successful businesses today rely on a host of technological solutions to run day-to-day operations.Managing risk and compliance across an organization is an area where digital transformation can provide a wealth of ben����efits.By embracing digi
75、tal transformation of ethics and compliance programs,organizations are better able to evaluate the cultural health of the company,remove ���information silos,increase collaboration and eliminate redundancies in technology.Leading organizations leverage the immense value in data derived from ethics and
76、compliance programs to create efficiencie������s and gain a better understanding of the company culture.Simplify the complexity of data managementThe amount of data any given organization produces can be overwhelming.When thinking of just the ethics and compliance data,this includes information such as ho
77、tline reports and related investigation outcomes,t�������raining and policy completion and attestation,conflict of interest disclosures,third-party supplier compliance(including sanctions compliance)and that is just the tip of the iceberg.When these data points are woven together,we begin to see the story
78、this tells about the culture and compliance health of the company.Further,were seeing a growing appetite for using these data points to benchmark against peers and present to executive leadership.However,for many organizations,this data is being managed but often this is������ done through siloed systems
79、and multiple software solutions.Simply put,the vast array of data������ is far too complex for manual analysis and management.To do so via spreadsheets and emails will inevitably lead to something ��������critical being overlooked.As an organization grows in employee count or to other geographies,this BY:A.G.LAMB
80、ERTChief Product Officer,NAVEXThe Next Era of R&C Management:Data-Informed Decisions Through Digital Transformation14NAVEX problem gets exponentially more complex.The challenge this presents is twofold the diminish�����ing ability for �����inadequate tools to achieve even the bare minimum of data management f
81、or the expanding organization,and the growing difficulty of analyzing that data for any meaningful insight.Given the breadth of this information,simplify�����ing th������e complexity of governance,risk and compliance(GRC)data requires a consolidated information system,or GRCIS.More and more,were seeing organiz
82、ations that seek to gain a holistic understanding of GRC information migrating towards a consolidated platform to take advantage of the insig������ht����s provided from ethics,compliance and risk data.Additionally,with increased requirements being imposed by the U.S.Department of Justice and other global regu
�������83、latory bodies,having access to program data,and using that data to actively manage compliance risks,is vital to prove program effectiveness.Arguably,the most important aspect of consolidating data from risk and compliance programs into a usable format is the ability to tell a story to leadership,emp
84、loyees and other stakeholders.When this data is scattered across multiple owners and resides in different systems,telling that story is made difficult.Most boards of d�������irectors receive periodic reports about compliance matters in fact,70%of respondents to NAVEXs 2022 Definitive Risk&Compliance Benchm
85、ark Report survey indicated this is th��������e case so being able to consolidate this data is imperative to telling the story.Reduce cost and remove silosMost organizations today have to deal with silos in at least some parts of the business and the larger the org�����anization,the more likely this is to happen
86、.Further,for large enterprises,there is more likely going to be a robust tech stack collecting data from across the �����organization.While technology solutions are vital to business operations,too many solutions can inadvertently silo data and increase costs to the business.Throughout the journey of dig
87、ital transformation,many organizations have continued to add solutions to their technology portfolio in hopes of gaining better insight and increasing efficiency.In some cases,it is �����years before leadership realizes all this has done is increase cost,create silos of information,and decentralize criti
88、cal information.While this conundrum applies to many departments in a given company,lets focus on GRC specifically.Were seeing a growing appetite f����or the consolidation of information related to ethics and compliance programs and risks,including hotline reporting,training,policy and procedure managem
89、ent,COI disclosure,third-party compliance,and more.Removing these silos is an important goal,and a much needed one for many organizations where compliance responsibilities are split across m����ultiple departments which a����ccounts for 21%of the respondents to the 2022 NAVEX survey benchmark.A thoughtful a
90、nd mature GRCIS can manage the wealth of data mined from these areas,thus reducing cost and removing the silos.We�������re seeing a growing appetite for the consolidation of information related to ethics and compliance programs and risks,including hotline reporting,training,policy and procedure management,
91、COI disclosure,third-party compliance,and more.15NAVEX This is particularly helpful because the data within each area can be consolidated to paint a picture of the cultural health of the organization.While small-and medium-sized businesses tend to have fewer si�����los and fewer resources,large enterpris
92、es tend to have more silos and resources.In either case,businesses of all sizes greatly benefit from a consolidation of GRC program data from the cost�������� savings and the elimination of siloed information.Decrease redundancy and increase efficiencySince budgets are typically allocated on a by-department
93、 basis,wed be hard pressed to find an organization today that didnt have some redundancies in their technology portfolio.In years past,compliance programs were widely operating in shared dri������ves with spreadsheets and email communications as the predominate metho������d of management.Now,were seeing an appe
94、tite for analytics and efficiency built into software solutions something that is likely to ������increase as the potential for a recession continues to loom.According to a global survey of over 1,400 IT professionals conducted by Spiceworks Ziff �����Davis,even though half of surveyed organizations plan to ta
95、ke precautionary measures to prepare for economic slowdown,51%are st�����ill planning to increase IT budgets in 2023.Also,according to the survey,common preparations for an economic downturn include“re-evaluating vendors or contracts”,and“decommissioning unnecessa������ry infrastructure.”While technology spend
96、ing may be on the rise,its clear that most organiza������tions must make these choices thoughtfully and����� not simply add solutions to the tech stack.In this same survey,26%of respondents indicated“consolidating redundant tech”as one of the measures their organization is taking to prepare for a potentially t
97、urbulent economy in ������2023 and beyond.While this percentage may appear smaller than expected,when combined with“re-evaluating vendors or contracts”(30%),“strategic refocusing”(28%),and“adapting products or services”(26%),it is clear organizations are focused on decreasi�����ng redundancy and increasing eff
98�������、iciency.There are several areas of overlap within GRC programs and other departments where redundancy can be reduced.For example,while compliance trainin�����g is traditionally handled by the chief compliance officer or equivalent,employee onboarding is usually the purview of human resources.So,in this e
99、��������xample,if completion and attestation for HR and Compliance trainings are being tracked in disparate systems,there is an incre�����ased likelihood of incomplete or missing information.Another common example is policy management,which,for many,is managed with emails and shared drives.The version control pr
100、edicament this can create is not only ineff�������icient,in some cas����es it can be dangerous(e.g.,in a healthcare scenario where following proper procedure can be a life-or-death situation).However,when information is centralized and access and version control is consistently managed,organizations are able t
101、o ensure a consistent experience all whi������le eliminating redundant information and creating a more efficient workflow.When being tracked in disparate systems,there is an increased likelihood of incomplete or missing informationWhen information is centralized and consistently managed,organizations ����are
102、able to ensure a consistent experience.16���������NAVEX 2023 predicti�������onIncreased regulatory enforcement for compliance infractions and growing public attention to how businesses operate will cause organizations to prioritize their ethics and compliance efforts.This is especially salient to compliance officer
103、s who are being asked to prov������e their program works in practice.The required level of transparency will require data from across the company in order to effectively tell the story to regulators,stakeholders,employees and the public.As organizations prepare for an economic downturn,the emphasis on������� eff
104、iciency will play a large role in �����how technology is evaluated.Public attention is also likely to stay focused on how organizations operate including misconduct,supply chain and third-party integrity,data security,and more.All of these forces combining means organizations will prioritize using digita
105、l solutions to monitor the metrics that matter and take the data yielded to demonstrate their accountability and compliance.In this turbulent,24/7 news cycle environment,companies that do the right things the right way will yiel����d better results in the long term and those that fail to prioritize ethi
106、cs and compliance as a cultural pillar will eventually face regulatory enforcement and reputa������ti��������onal damage.To that end,consolidating data from GRC programs and using it effectively will be key to enhancing cultural health within organizations and maintaining regulatory compliance as those requiremen
107、ts evolve.About The AuthorA.G.Lambert|Chief Product Officer,NAVEXA.G.Lambert is chief product officer at NAVEX,where he is responsible for driving the comp�������anys product vision and strategy.Helping NAVEX further its product innovation and ������leadership,A.G.is expert at optimizing product strategy to meet
108、 current and future needs of customers,partners and the industry.Prior to joining NAVEX,A.G.served as chief product strategy officer at SAP Concur.He has also held positions leading product manageme������nt and marketing teams at Saba,Infor,Extensity and Autodesk.A.G.earned a degree in physics and English
109、 literature from Washington University,and an MBA from the Haas School of Business at the University of California,Berkeley.“Increased regulatory enforcement for compliance infractions and growing public attention to how businesses operate will cause or��������������ganizations to prioritize their ethics and comp
110、liance �������efforts.”18BY:MARK ROBERTSONDeputy Compliance Officer and Senior Counsel,NAVEXEU Whistleblowing Directive Trends in Transposition and AdoptionIt has now been three years since the EU whistleblower protection directive(“Directive”)entered into force.The Directives minimum standards are certain
111、ly no great mystery at this point entities meeting the fifty-worker threshold must establi�����sh internal reporting channels and procedures for the receipt of whistleblower reports and protection of the whistleblower against retaliation.What remains a challengi�����ng unknown,however,is the extent to which e
112、ach member states transposition of the Directive meets or exceeds the Directives minimum standards.This is because of the staggered cadence������� of legislative enactments by EU membe�����r states and the failure of many member states to enact legislation at all.Now one year overdue,as of this writing,there re
113、main 13 member states that have yet to transpose the Directive into national law.Multi-national organizations tasked with developing a harmonized approach to whistleblower reporting across the EU must do so with an incomplete picture of the legisl��������ative landscape.But as we move into 2023,there is������ hop
1����14、e that this picture will be filled in.The majority of the 13 member states yet to transpose have published draft bills that are at various stages of the legislative process.The proposed bills provide a look at how these nations may codify NAVE X the Directives minimum standards.While the timelines o
��������115、f the enactments may differ among these nations,perhaps there exists some shared urgency as a result of the European Commissions commencement of infringement proceedings against these member states(as well as some that have transposed,though only partially or untimely,as the European Commission tell
116、s it).Despite the delayed progress across the EU,there �����are lessons to be taken from the Directive itself and the national laws that have been enacted in the past ye������ar.Shared resourcesOne of the most impactful requirements of the Directive is for entities with 50 or more workers to establish internal
117、 reporting channels and designate an impartial person or department to perform the follow-up,which includes any resulting investigation.The Directive makes allowance,however,for entit������ies with 50 to 249 workers to“share resources as regard�����s the receipt of reports and any investigation to be carried o
118、ut.”This abil������ity to share resources was included in the Directive specifically because the commission was“mindful of the more limited resources of medium-sized companies.and with a view to helping them meet their obligations under the Directive.”19Thus far,we have seen nations that have transposed l
119、ikewise be mindful of the potential resource strain in this r�������egard and have incorporated this resource-sharing carve out in favor of medium-sized entities.For example,the national laws of Cyprus,Denmark,Ireland and Portugal all include express allowance for medium-sized entities to share resou�����rces i
120、n this limited respect.Spains draft law legislation also includes this allowance in its present state.As more nations transpose,we can expect to see further adoption of this resource-sharing ���carve-out for medium-sized entities.Initial assessments and additional communications to whistleblowerThe Dir
121、ective describes two distinct points in time when the receiving entity must communicate with the whistleblower.First,there must be an acknowledgement of receipt of������ the report sent to the whistleblower within seven days of report receipt.Second,the entity must provide“feedback”to the whistleblower wi
122、thin“a reasonable timeframe.not exceeding thr�����ee months from the acknowledgment of receipt.”This general framework written acknowledgement followed by feedback is apparent in the transpositions thus far.These examples highlight the need �����to monitor each member states draft and enacted legislation.As m
123、ore member states transpose the Directive into national law,we may see additional nuances introduced that affect how organizations perform report intake and assessment and communicate with reporters.There have also been additiona�����l steps required at the national level,including an initial assessment
124、of the report and further communications to the reporter.For example,Ireland and Latvia both establish an obligation for the receiving entity to perform an initial assessment of the report and to communicate the results of that assessment to the reporter.In the case of Irelan������d,the assessment should
125、consider“whether there is prima facie evidence that ���a relevant wrongdoing may have occurred.”Under the Latvian transposition,the assessment is to include a decision whether to recognize the report as a whistleblower report.Under both laws,the assessment is to be communicated to the reporter.Ireland
126、also introduced a continuing obligation to communicate status updates to the reporter,if requested.These further communications are to occur“at intervals of three months.”These examples highlight the need to monitor each member states draft and enacted legislation.������As more member states transpose the
127、 Directive into national law,we may see additional nuances introduced that affect how organizations perform report intake and assessment and co�����mmunicate with reporters expect to see further adoption of this resource-sharing carve-out for medium-sized entities.Effective,proportionate and dissuasive p
128、enalties take shapeThe Directive addresses at least one topic merely by describing the desired ������outcome������,rather than through prescriptive rules defined by rigid timelines or worker counts:Penalties.No specific punishments or monetary sanctions are set forth in the Directive.Rather,the Directive mandat
129、es member states“provide for effective,proportionate and dissuasive penalties applicable to natural or legal 20persons”for hindering reporting,retaliation,bringing vexati��������ous proceedings,and breaching the duty of confidentiality,and,in the case of reporters,for knowingly reporting false inform�����ation.T
130、his aspect of the transposition process has been keenly watched by in������dustry observers to see what level of personal and entity liability is established.To date,the national laws have responded to this mandate in a few ways.Some member states have established ranges of monetary fines that correspond
131、to different violations.Portugal,for example,grouped violations into t�����wo tiers:serious offenses and very serious offenses.The latter,unsurprisingly,paired with the higher ranges of potential fines(i.e.,1,000 to 5,000 for natural pe�������rsons and 2,000 to 50,000 for legal persons).However,financial penalt
132、ies against individuals are just one possible penalty under the Irish law.It provides at least technically����� for imprisonment of up to two years.One would have to think that imprisonment for violation of the duty of confidentiality would be a punishment reserved for the most malicious of intentional ������d
133、isclosures,but on the face of it,there is no element of scienter.In any event,consider this aut������hor dissuade������d.The Irish law also creates two private rights of action.A reporter may bring an action in tort against an individual who discloses the reporters identity to someone unauthorized to know it.Li
134、kewise,an individual may bring a������ tort action against a reporter who knowingly reports false information about the individual.These penalties likely suggest more of what is to come when the remaining member states transpose the Directive.It seems safe to assume that financial penalties will be availa
135、ble in future transpositions against b������oth individua�������ls and entities when there is retaliation or a breach of confidentiality in which the reporters identity is made known beyond those authorized to know it.2023 predictionThe coming year will continue to present challenges for organizations working to
136、 harmonize internal ��������whistleblower programs across multiple EU������ members states,where some have transposed the Directive into national law and others have not.Organizations may wish to design or modify their programs to conform to the most protective of the national laws and,in any event,should ensure
137、their programs are ������responsive to the Directives minimum standards.We can reasonably expect more member states will transpose the Directive in 2023,but whether it is all delinquent member states or just some remains an open question.About The AuthorMark Robertson|Deputy Compliance Officer and Senior
138、Counsel,NAVEXMark maintains the companys risk and compliance program and advises the company on a wide array������� of legal matters,including intellectual property,compliance,employment,litigation,commercial transactions,and product developmen������t.Prior to joining NAVEX,Mark was in private practice,represent
139、ing artists,entrepreneurs,and performing arts organizations in the music business.Mark earned his J.D.from Loyola �������Law School,Los Angeles and served as editor-in-chief for the Loyola of Los Angeles Entertainment Law Review.He received his B.A.in communications from the University of Puget Sound.“The
140、coming year will continue to present challenges fo������r organizations working to harmonize internal whistleblower programs across multiple EU members states,where some have transposed the Directive into national law and others have not.”NAVEX 22U.S.legal trendsPrivacy law compliance in the United States
141、 today demands resilience,flexibility,and responsiveness.To date,the U.S.Congress has faile������d to enact bro�������adly applicable privacy standards to govern companies uniformly nationwide.Seeking to fill the gaps in existing privacy regulation,the states are rapidly taking action,with one state in particula
142、r,California,leading the charge with a continually expanding set of privacy-related requirements to protect individuals residing in the state.Californias initiatives have triggered other states to follow suit.In just the past two years,four other states enacted new consumer d�����ata privacy laws,all of
143、which are scheduled to take effect in 2023.However,each states ver�������sion of consumer privacy law differs in various ways from the others.This means businesses will face an ongoing challenge in juggling privacy obligations under multiple regimes.Adding to the complexity of the states different privacy
144、law frameworks,the Federal Trade Commission(FTC),which has broad jurisdiction over for-profit companies operating in the U.S.,initiated a potentially far-reaching rule�������making process to address what it perceives to be major gaps in privacy a�������nd security protections for consumers.At the same time,the D
145、epartment of Health and �����Human Services,which regulates Privacy in 2023 What to Expect and How to PrepareBY:JAMES CASTRO-EDWARDSCounsel,Arnold and Porter NANCY PERKINSCounsel,Arnold and Porter a wide range of entities in the healthcare sector with respect to the privacy and security of protected heal
146、th information,is poised to amend its privacy regulations.Further,the Securities and Exchange Commission(SEC),which regulates publicly traded companies,proposed new cybersecurity rules,while th������e federal banking agencies issued new rules for financial institutions and their services providers for not
147、ifications of cybersecurity incidents.For companies doing business in the U.S.,this multifaceted privacy law environment can seem daunting.As is the case with most major challenges,a framework for f�����ormulating fundamental principles can help make compliance and data str������ategy more manageable.With limi
148、ted resources to invest,keeping a realistic focus on significant risks,rather than getting mired in the minutia of detailed requirements,can also prove beneficial.To help navigate this complex landscape,the paragraphs below suggest a conceptual roadmap for streamlining privacy efforts.Comm������on state l
149、aw requirementsThe five states that enacted broadly applicable consumer privacy law������s California,Colorado,Connecticut,Utah,and Virginia have all embraced certain fundamental privacy principles and concepts,including many that are at the core of the European Union General Data Protection Regulation(GD
150、PR)(discussed below).This trend is likely to continue in additional states.23N�������AVEX Adopting a clear,publicly available privacy notice that describes the companies data practices and individuals privacy rights Making that notice available to individuals before collecting their personal information(wh
151、erever collection occurs)Adhering,without exception,to the statements in that notice,including to respect peoples privacy rights Engaging in privacy-by-design to ensure the ethical collection and use of data(in line with lawful purposes)M�����aking third-party recipients of data accountable to follow you
152、r statements about data use Ensuring an internal privacy program that documents compliance efforts and risk determinations and allows for monitoring and auditing of same Maximizing the protec�����tion of data in accordance with its sensitivity and the threats theret����oNew complexities under the state laws
153、as of 2023Although the five U.S.states broad consumer protection laws have fundamental similarities,the scope of Californias law,the California Consumer Privacy Act(CC�����PA),is notably more expansive than the laws of the other four states.This is due to the expiration of the laws previous exemptions fo
154、r personal information about em����ployees and business-to-business(B2B)contacts(such as customer representatives and vendor contacts).Further,theCalifornia Privacy Protection Agency,which was established as a new CCPA administrative and enforcement authority in 2020,recently issued detailed draft regul
155、ations implementing the amendments to the Fueled by concerns that consumers lack kno������wledge of,and tools to control,how their personal data are being captured(particularly online),used and shared,the five states laws all contain provisions requiring:Consumers be given notice(descriptions of what dat�������a
156、 is collected,and why,and who it is shared with)Privacy rights(some control over the use,disclo�������sure and retention of their personal information and means to access and amend)Companies to implement privacy-by-design(ensuring privacy is considered up front and for specified purposes)Purpose limitation
157、s(forcing companies to collect and use data in accordance with a set of appropriate and lawful purposes)Security(protection of personal data)That companies are accountable(through enforcement and complaint mechanisms,documentation requirements,and oversight and audi������ting requirements)These same princ
158、iples a����re the backbone not only of the GDPR,but also of U.S.federal regulations governing the ������banking industry,healthcare industry,and industries handling childrens information,among others.They thus serve as a reliable framework for designing a privacy program even while the legal goalposts and gua
159、rdrails for that framework are still under constructi������on.Following these principles will go a long way in protecting against complaints from individuals or regulators.Key practical steps to implement these principles include:24NAVEX CCPA adopted pursuant to the California Privacy Rights Act of 2��������020(C
160、PRA).Businesses subject to the CCPA will have significant work to do to ensure compliance with those regulations,the enforcement of whi���ch is �������scheduled to commence in the third quarter of 2023.As noted,until January 1,2023,the CCPA exempted from most of its requirements personal information about emp
161、loyees and B2B contacts.Until late August 2022,it was widely anticipated that the California legislature would extend these exemptions.Giv�������en these expectations,and because the other four states consumer privacy laws contain permanent exemptions for such information,many companies have designed their
162、 privacy programs specifically t��o pro��tect the personal information of consumers with whom they deal on a personal or household basis.Adjusting to the CCPAs new scope covering employee and B2B contact information as well will be a challenge for these companies.In addition,both under the new CCPA regu
163、lations and other states privacy regimes,businesses will need to grapple with restrictions on,among other things:Uses and disclosur���es of“sensitive personal data”(as defined in varying ways)“Sales”of personal data Sharing of personal data,including online trackin�������g information,for certain advertising
164、purposes Collection of personal information of minors The specifics of these restrictions,and the requirements for implementing methods for consumers �������to opt-in or-out of these types of processing of personal information,may be similar across certain states,and can be handled in a uniform manner,but
165、they will not be uniform across all states.Again,this underscores the need for a������� flexible posture with a focus on areas of highest risk.Data transfers-the new EU-U.S.Data Privacy FrameworkA new EU-U.S.transatlantic data flow agreement is expected to be finalized by the spring of 2023.The EU-U.S.Data
166、 Privacy Framework will enable the flow of personal data from data exporters in the EU to da������ta importers in the U.S.who have signed up to the agreement.The Framework offers a flexible alternative to the European Commissions Standard Con������tractual Clauses(SCCs)and Binding Corporate Rules(BCRs),which mu
167、ltinationals with a presence inside and out of the EU must otherwise use to share personal data(absent some small exceptions).T������he European GDPR prohibits the transfer of personal data to third countries that do not guarantee an adequate level of data protection.Third countries are countries outside
168、the European Economic Area.The 25NAVEX European Commission declared a small number of third countries,such as Switzerland,Ca���������nada and Argentina as guaranteeing an adequate level of data protection.Such an adequacy finding means personal dat�������a may be freely transferred from EU Member States to the adeq
169、uate third country.However,the transfer of personal data to third countries w��������hich have not been granted an adequacy finding(such as the U.S.)is prohibited,unless appropriate safeguards have been implemented.Currently,the main appropriate safeguards are SCCs and BCRs,which may be onerous to implement
170�������、 or expensive and time consuming,respectively.More flexible data transfers were available in the form of the Privacy Shield and the Safe Harbor scheme,which were invalidated following the Schrems II and Schrems I decisions in 2020 and 2015 respectively.Multinationals will welcome the EU-U.S.Data Pri
171、vacy Framework,which offers a business-friendly alternative to facilitate transatlantic data sharing.In October 2022,U.S.President Biden signed an executive order,which mandates legal safeguards over U.S.security agencies use of EU citizens personal data.This is a critical and �������long-awaited next step
172、 in the progress of the EU-U.S.������Data Privacy Framework.Following the U.S.s move,the European Commission will need to make an adequacy finding,which could take as long as six months.If and whe�����n it does take effect,the Framework would operate as a replacement for the Privacy Shield.However,Max Schrems,
173、founder of privacy non-profit NOYB,already expressed reservations regarding�������� the level of protection guaranteed by the EU-U.S.Data Privacy Framework and a third challenge seems inevitable.If Schrems third challenge repeats his earlier successes,multinational businesses access to a flexible EU-U.S.dat
174、a transfer solution may be short-lived.Only time will tell,as this plays out over the course of 2023.UK/EU divergence the d�������ata protection and digital information billIn the Queens Speech of May 2022,the British government announced its intention to reform U.K.data protection law.The government previ
175、ously expressed its desire to take advantage of Brexit to realize the apparently conflicting aims of creating a more bus������iness-friendly data regime that promotes growth and innovation,while continuing to protect individuals privacy rights.The draft Data Protection and Digital Information Bill was pub
176、lished in July 2022,in an effort to realize the governments intentions.Notwiths�������tanding the governments ambitious claims,the bi��������ll amounted to little more than an evolution of the existing U.K.GDPR,rather than a radical overhaul.However,the changes the bill would have introduced regarding internationa
177、l data transfers potentially threatened the U.K.adequacy decision the European Commission made in June 2021.The adequacy decision enables the free flow of personal data between the EU and th�������e U.K.following Brexit.The European Commission may withdraw the decision if the U.K.data protection regime div
178、erges too far from European data protection standards.Such a withdrawal would mean that organizations in EU member states would be prohibited from sharing personal data with the U.K.,which would be costly and disrupti��������ve for multinational busines�������ses with a presence in the U.K.and the EU.26NAVEX The d
179、raft Data Protection and Digital Information Bill ������looks set to make further progress,following the November announcement at the International Association of Privacy Professionals(IAPP)Congress 2022 in Brussels by DCMS deputy director Owen Rowland that the latest consultation on the Bill will commenc
180、e shortly.The need for re������form is questionable;while the U.K.GDPR may not be perfect,it is fit for purpose in striking a reasonable balance between protecting individuals rights and businesses interests.The British government may dismiss the GDPR as overly unfriendly to business goals for data use.Ye
181、t,it seeks to give individuals choice and control over how th�������eir personal data is used and imposes heavy penalties on organizations that fail to abide by the rules.If the U.K.government pushes ahead with its proposed reform,resulting in a U.K.data protection regime that fa����ils to meet European standa
182、rds,leading to a revocation of the U.K.s adequacy f��������inding,companies will face a much-increased burden to enter into an appropriate data transfer solution,as well as carry out a transfer risk assessment,for transfers from the EU to the U.K.The inevitable costs to businesses are likely to absorb at le
183、ast some of the purported savings(or in�����creased revenues from new data uses)the new legislation would make.Whether the British government will press ahead with its proposed reform remains to be seen,so the best advice to multinational businesses is to watch this space.2023 predictionAs noted,in recen
184、t years th�����e U.S.Congress has consideredbut failed to passvarious forms of federal privacy legislation.The new Congress taking over in 2023 is not likely to put a significantly new face on the prospects for passage of federal privacy legislation.Regulated entities therefore would do well to focus on
185、the trends in the states,as well asthe �������anticipated FTC rulemaking and the agencys ongoing privacy enforcement actions under section five of the FTC Act.The European Commissions adequacy determination concerning the EU-U.S.Data Privacy Framework is expected imminently;whether or not it survives the a
186、lmost inevitable Schrems III challenge remains to b������e seen.Meanwhile,U.K.businesses that trade internationally may well be hoping that the government sees sense and leaves well enough alone,rather than risking the U.K.s adequacy decision and the free-flow of data with Europe.27NAVEX About The Authors
187、James Castro-Edwards|Counsel,Arnold and PorterJames Castro-Edwards provides counsel on global data protection compliance projects for multinational companies,advises on data protection issues,and helps companies respond to data ����breach situations.He represents a broad range of clients including finan
18�����8、cial,media and technology organizations,and medical device and pharmaceutical companies.In addition to advising clients on data protection issues,Mr.Castro-Edwards has created innovative data protection support,audit and training programs for clients.Earlier in his career,Mr.Castro-Edwards was in pr
189、ivate practice and served as a solicitor in the data protection group at PwC Legal.He is widely published in a variety of titles,a regular public speaker on data protection issues and wrote the textbook �����on the EU General Data Protection Regulation(GDPR)for The Law Society.Nancy Perkins|Counsel,Arnol
190、d and PorterNancy Perkins foc������uses her practice on regulatory compliance and consulting on emerging policy issues,with a principal focus on data privacy and security and electronic transactions.Ms.Perkins regularly advises clients on compliance with a wide range���� of data protection requirements at the
191、 federal and state levels,including rules ���������applicable to online communications and transactions as well as all types of uses and disclosures of medical,financial,and other sensitive personal information.She assists clients in structuring their activities,online service offerings,and privacy policies
192、to comply with applicable laws and best practices,taking into account technological and intellectual property issues associated with the expansion of electronic commerce and Internet activities.Among other laws,Ms.Perkins frequently provides counsel on the Health Insurance Portabili��������ty and Accountabi
193、lity Act�����(HIPAA),the Health Information Technology for Economic and Clinical Health Act,the Gramm-Leach-Bliley Act,the Fair Credit Reporting Act(a������s amended by the Fair and Accurate Credit Transactions Act),the federal E-Sign Act,the Childrens Online Privacy Protection Act,and the Video Privacy Protec
194、tion Act,as well as state privacy,security,data breach notification,and electronic signature laws.“For companies doing business in the U.S.,this multifaceted privacy law environment can seem �������daunting.As is the case with most major challenges,a framework for formulating fundamental principles can hel
195、p make compliance and data strategy more manageable.”29NA������VEX BY:MICHAEL RASMUSSENGRC analyst and pundit,GRC 20/20 Research,LLCThe structure and reality of business has changed.Traditional brick-and-mortar business is a thing of the past physical buildings and conventional employees no longer define
196、the organization.Instead,modern organizations are an interconnected web of relationships,interactions,and transactions that ex�������tend far beyond traditional business boundaries.Further,organizations rely on relationships with suppliers,vendors,outsourcers,service providers,contractors,consultants,tempo
197、rary workers,brokers,agent���s,dealers,intermediaries,partners,and more,for critical operations.Even the smallest organization can have dozens of relationships they depend on for goods,services,processes,and transactions.In large organizations,this can expa������nd to tens of thousands of third-party relatio
198、nships with suppliers,vendors,partners,and service provid���ers.With businesses increasingly relying on a complex network of third-party relationships to thrive,the governance,risk management,and compliance(GRC)of third-party relationships is even more critical.Without effective GRC,organizations will
199、fail to manage uncertainty,avoid disruptions,act with integrity,and achieve business objectives.Addressing Risk,Compliance&Integrity in the Extended EnterpriseIn a dynamic risk environment,resiliency requires agility and the ability to navigate great uncertainty.Effectively mitigating������ the exposure o
200、f potentially disrupti�������ve events requires real-time and comprehe�����nsive risk intelligence within and across the extended enterprise with insights to both assess the current and future risk landscape and drive sagacious action.Resiliency regulations such as in the U.K.with the FCA/PRA/Bank of England as
201、 well as the EU Digital Operational Resilience Act requires resilience of third-party relationships that organizations depend upon.This is even more apparent in the age of ESG.The world is seeing a broad sweep of regulations impacting ESG in third-party relation�������ships.Germanys Corporation Due Diligen
202、ce Act which went into effect January 1,2023,has organizations worldwide concerned about ongoing due diligence activities in the extended enterprise.With the corresponding EU Directive this is going��� to require ever�����y member country of the EU to pass similar legislation that impacts anyone doing busin
203、ess with organizations in these countries.Then there is the range of regula����tions tha����t focus on aspects of ESG in the extended enterprise.These include the proposed SEC climate change rule,U.S.FCPA,U.K.Bribery Act,Sapin II,U.K.Modern Slavery Act,Australias Slavery Act,Californias Transparency in Supp
204、ly Chains Act,Conflict Minerals in the Dodd Frank Act,and so many more.Privacy laws such as the EU GDPR and Californias CPRA have an impact on the extended enterprise.30NAVEX The inevitability of failure fragmented views of third-party risk&complianceT������oo often,organizations struggle to adequately go
205、vern their th�����ird-party relationships because of their reliance on outdated practices.Silos of documents,spreadsheets and emails give a false perspective of risk as they do not show the big picture.Technology enables organizations to be more effective and do more with fewer resou�����rces,but unfortunatel
206、y,too many organizations have failed to seize the opportunity to evolve their third-party risk processes.Failure in third-party GRC comes about when organizations rely on outdated risk practices including:Silos of th�����ird-party oversight.Silos of oversight occur when an organization allows different b
207、u������siness functions to conduct third-party oversig������ht without coordination,collaboration,and architecture.The risk posed by a third party for one business function may seem immaterial but is actually significant when factored into multiple risk exposures across all of the business functions relying on
2�������08、the same third-party.Without a single pane of visibility into the risk in their third-party relationships,silos leave the organization blind to risk exposures that are material when aggregated.Limited resources to handle growing risk and regulatory concern������s.Organizations are facing a barrage of incr
209、easing regulatory requirements and an ever-expanding risk landscape.While risk functions are operating with limited budgets and human teams,they need to do more with less.In reality,truly effective continuous monitoring and mitig�����ation of todays dynamic and ever-expanding risk landscape is beyond hum
210、an capabil������ities alone.Overreliance on ������manual processes.When organizations govern third-party relationships in a maze of documents,spreadsheets,emails,and file shares,it is easy for risks to be missed amidst the extensive volume of data.In addition,when things go wrong,these manual processes neither
211、support agility nor a robust feedback loop to improve processes going forward.Limited view of risk vectors.Organizations often over-rely on t�������hird-party financi�������al and cyber risk management and suffer from risk exposure in domains such as compliance,operations,ESG,location and Nth parties.To fully und
212、erstand the complete risk p������icture,an organization needs to have full-spectrum risk coverage.Scattered third-party risk solutions.When different parts of the organization use different third-party risk solutions,silos of risk data and intelligence are created that are difficult to assimilate,thus mak
213、ing it difficult�������������� to maintain,aggregate and provide comprehensive,accurate,and current third-party analysis.The resulting redundancies and inefficiencies make organizations less agile and impact the effectiveness of third-party risk programs.Overreliance on Periodic Assessments.For many organizations
214、,third-party risk analysis occurs primarily during the onboarding pro�������cess at the onset of the business relationship with only periodic reassessment of risk over the length of the engagement.This approach fails to keep organizations informed in a timely manner 12345631NAVEX when the risk exposure cha
215、nges between assessments.Without a continuous source of real-time risk intelligence feeds,the organization lacks the ongoing situational awareness ����necessary for proactive risk mitigation.The modern business is dependent on third-party relationships ��and requires real-time and continuous awareness of
216、its current and������� future risk landscape in the extended enterprise.A manual and point-in-time approach to third-pa����rty risk intelligence compounds the problem and can lead to elevated risk exposure.It is time for organizations to step back and move from legacy practices,defined by manual processes and
217、periodic assessments,to a third-party risk strategy that includes integrated���� full-spectrum real-time views of situational awareness that impacts the extended enterprise and operations.A dynamic business environment requires the capability to actively manage risk intelligence and fluctuating risks im
218、pacting the organization and its relationships.The old paradigm of uncoordinated third-party risk management is inadequate given the volume of risk information,the pace of change,and the broader operational impact on todays business environment and operations.Organizations need to������ address third-part
219、y risk management with an integrat������ed strategy and an enterprise-wide information architecture that provides 360 third-party risk situational awareness.The goa���l is to provide actionable and relevant risk intelligence to support third-party risk governance and oversight to ensure the organization is a
220、gile,resilient,and acting with integrity in its business relationships.The end goal in mature ����third-party risk management is agility.This is where organizations will find the greatest balance in collaborative third-party risk management and oversight.It allows for aggregation of third-party risk int
221、elligence relevant to individual departments,business functions,and relationship owners with a common integrated risk intelligence information architecture that aggregates and monitors risk across these areas.2023 predictionOrganizations in 2023 need to clearly implement a ������well-defined third-party r
222、isk strategy,process,and architecture that delivers agility through the ability to connect,understand,analyze,and monitor risks and underlying patterns of risk in context of relationships and services across the extended enterprise.Different functions participate in third-part��������y risk strategy with a
223、focus on coordination and collaboration through a common core risk technology and process architecture.32NAVEX About The AuthorMichael Rasmussen|GRC analyst and pundit,GRC 20/20 Research,LLCMichael Rasmussen is an internationally recognized pundit on governance,risk management,and compliance(GR�����C)wit
224、h specific expertise on the topics of enterprise GRC,GRC technology,corporate compliance,and policy management.With 27+years of experience,Michael helps organizations������� improve GRC processes,design and i�������mplement GRC architecture,and select technologies that are effective,efficient,and agile.He is a so
225、ught-after keynote speaker,author,and advisor and is noted as the“Father of GRC”being the first to define and model the GRC market in February 2002 while at Forrester.Michael has contributed to U.S.Congressional reports a������nd committees,and currently serves on the Leadership Council of the OCEG and ch
226、airs the OCEG Technology Council������,OCEG Policy Management Group,and the OCEG GRC Architect Group.Michael is quoted extensively in the press and is respected for his commentary on broadcast news channels.He is an Honorary Life Member in The Institute of Risk Management for his contributions to risk man
227、agement and GRC.In June 2007,Treasury&Risk recognized Michael as one of the 100 most influential people in finance with specific accolades noting his work in“Governance and Compliance:Saving the Planet and �������the Corporation”and as a“Rising Star in Rocky Times:Corporate Americas Outstanding Executives.
228、”Prior to founding GRC 20/20 Research,Michael was a vice-president and Top Analyst at Forrester Research,Inc.Before Forrester,he led the risk/compli������ance consulting practice at a professional services firm,and prior to that has specific experience managing compliance and risk within commercial orga�����ni
229、zations.Michaels educational experience consists of a juris doctorate in law and a bachelor of science in business.Michael is currently pursuing a master of divinity at Trinity Evangelical Divinity School �������with a research focus in ethics and chur�����ch history.He is a GRCP(GRC Professional),CCEP(Certifie
230、d Compliance and Ethic Professional),and a CISSP(Certified Information Systems Security Professional).OCEG has recognized him a������s an OCEG Fellow for his contributions and advancement of GRC practices around the world.“The modern business is dependent on third-party relationships and requires real-tim
231、e and continuous awareness of its current and future risk landscape in the extended enterprise.A manual and point-in-time approach to third-party risk intelligence compounds the problem and c������an lead to elevated risk exposure.”34NAVEX BY:MICHAEL VOLKOVCEO,The Volkov �����Law Group,LLCAn uptick in sanction
232、s activity dominated the global compliance landscape in 2022.Precipitated in large measure by the invasion of Ukraine by the Russian Federation,sanctions have re-emerged as a primary means of facilitating foreign policy objectives,including a coordinated international response designe��������d to cripple th
233、e Rus��������sian Federations military-industrial capacity.These sanctions range from substantial new additions to the Specially Designated Nationals and Blocked Persons List(SDN List)maintained by the U.S.Department of the Treasurys Office of Foreign Assets Control(OFAC)to robust new export controls mainta
234、ined by the U.S.Department of the Commerces Bureau of Industry and Security(BIS).In addition,foreign jurisdictions principally the U�����nited Kingdom and European Union have leveled their own punitive measures against Russian oligarchs and industry for their complicity in the Ukraine conflict.Among othe
235、r ������things,these restrictive measures include travel bans,financial prohibitions,export restrictions,and asset seizures.In the third-party risk management context,risk-based due diligence of an organizations business partners including,but not limited to,its suppliers,vendors,distributors,agents,servi
236、ce Third Party Risk in the Era of Sanctions Enforcementproviders,and other intermediaries is part and parcel of mitigating the risk����� of incurring liability under international sanctions regulations.While the breadth and depth of such due diligence varies considerably based on factors like jurisdictio
237、n,industry,and third-party role,the common aim of all such inquiries is to ensure that the organization has insight into the operations and ownership of the due diligence target.Where companies lack such information,the risk������ of violating sanctions regulations is considerable,as such laws often targe
238、t both designated entities and individuals with a majority ownership stake and/or substantialcontrol over“blacklisted”organizations.Complying with OFAC sanctionsForemost amo�����ng the global sanctions regulations organizations should be cognizant of are those enforced by OFAC.Long considered the most ag
239、gressive and far-reaching sanctions level������ed by any jurisdiction,sanctions imposed by OFAC pursuant to both congressional mandates and presidential directives target myriad countries,regions,industries,entities,and individuals deemed to be participating in activities contrary to the national security
240、 or foreign policy objectives of the United States.Under selective sanctions targeting the RussianFederation that were broadcast this year,OFAC imposed a series of incrementally more aggressive prohibitions that now forbid virtually any new investment by U.S.persons in debt or equity 35NAVEX of Rus������s
241、ianFederation-based companies and the importation of crude oil and petroleum products of similar origin.In a new development coincident with the publication of this report,OFAC recently expanded the applicability of its Russia sanctions to encompass even ancillary activities that im�������plicate the marit
242、ime transportation of Russian Federation-based crude oil below a predetermined price cap set by the United States and its allies.The intended effect of OFACs recent actio������n is to further constrain the ability of Russia to export energy products abroad,thereby reducing the critical revenue that the Pu
243、tin regime relies on to fund its ongoing Ukraine excursion.While the sheer complexity of sanctions leveled against the Russian Fe��������deration on its own warrants additional attention by the compliance functions of organizations,the threat of aggressive enforcement activity by the U.S.Department of Justi
244、ce raises the stakes even further.As Deputy Attorney General Lisa Monaco emphasized in June of this year,sa�������nctions“are the new Foreign Corrupt Practices Act,”alluding to the fact the DOJ is prioritizing enforcemen�����t of sanctions evasion activity to a much greater extent than in the past.As Monaco emp
245、hasized in �����the context of her remarks,the DOJ has dedicated significant investigatory and prosecutorial resources to enforcing Russian sanctions regulations,including creating a new task force dubbed“Task Force KleptoCapture”to prosecute intentional violations of U.S.sanctions regulations by Russian
246、 oligarchs.Monaco made it clear t�������he DOJ would pursue such cases with“unprecedented intensity,”and explicitly cautioned all businesses with international exposure to ta�������ke the issue of sanctions compliance more seriously.Staying ahead of third-party sanctions riskIn such an era of heightened enforceme
247、nt,it is imperative that all businesses with potential ties to Russia however remote adopt appropriate policies,procedures,and internal controls with the aim of advancing sanctions compliance as a signature operational concern.To the extent an organizations third-party due d�����iligence program is lacki
248、ng in any way,organizations should act swiftly to identify those deficiencies now,and devote appropriate resources to remediating them befo�����re a sanctions violation arises.For instance,to the extent a company still relies on periodic manual screening of international sanctions lists to ensure its thi
249、rd-party partners remain compliant,such companies should plan on transit���ioning to automated screening utilizing a reputable sanctions screening solutions provider.Because sanctions re������gulations are subject to frequent change,organizations accustomed to more ad hoc,manual screenings are likely to find
250、 that their current����� third-party screening practices are insufficient to meet emerging regulator expectations.As one recent enforcement action demonstrated,even a modest interval between periodic manual screenings can result in significant violations of sanctions regulations.Furt�������her,companies that ha
251、ve implemented automated sanctions screening should be cognizant that ���������not all sanctions activity is list based.In some instances,international sanctions regulation��������s prohibit companies from engaging in specified conduct.For example,furnishing maritime transportation services,engaging in certain finan
252、cial transactions,etc.In these circumstances,more in-depth due diligence is required to ensure that the underlying activi������ty itself is not prohibited by law.Companies that lack a protocol for a more in-depth examination of third-party partners for sanctions risk should consider implementing one now.I
253、f internal 36NAVEX resources are insufficient,the company should consider outsourcing its enhanced due diligence activities to a reputable compliance solutions provider or law firm.While due diligenc�������e itself is not an absolute guarantee that a sanctions violation will not occur,companies that can de
254、monstrate a good faith,consistent effort to comply with sanctions regulations ar�����e the most likely to benefit from leniency in any criminal,civil,or administrative proceeding.2023 predictionAs mentioned above,sanctions enforcement activity remains a core priority of DOJ senior leadership.This emphasi
255、s is unlikely to shift anytime soon,as the Russian Federations Ukraine incursion remains in full force.As a consequence,ethics and compliance professionals are charged with acquainting themselves with the basics of applicable sanctions regulations both �������domestically and internationally as they pertai
256、n to the operations of their respective organizations.Moving forward,any transactions with e����ven the slightest Russian Federation nexus should be subject to scrutiny.Moreover,as sanctions regulations are subject to frequent change,organizations that lack automated continuous screening of their third-
257、party relationships should intend on devoting resources to that effort now.More importantly,organizations that lack a process for a more enhanced analys����is of the sanctions risk involved in sizable transactions should plan on allocating resources to this effort going forward.About The AuthorMichael V
258、olkov|CEO,The Volkov Law Group,LLCMichael Volkov,CEO of The Volkov Law Group,PC,is a recognized expert in anti-corruption enforcement and defense,internal investigations,ethics and compliance,and wh������ite-collar defense issues with over 30 years experience in practicing law.Mr.Volkov served for 17 year
259、s as an assistant U.S.att�������orney in the Dist������rict Columbia and has served on the Senate and House Judiciary Committees as the chief crime and terrorism counsel to the respective chairmen.He also served as a deputy assistant attorney general in the Office of Legislative Affairs of the U.S.Department of
260、Justice and as ��������a trial attorney in the DOJs Antitrust Division.He also maintains the award-winning legal blog Corruption,Crime&Compliance.“Because sanctions regulations are subject to frequent change,organizations accustomed to more ad hoc,manual screenings are likely to find that their current thir
261、d-party screening practices �����are insufficient to meet emerging regulator expectations.”38NAVEX BY:MATT KELLY,CEO,Radical ComplianceAs compliance officers enter 2023,they need to learn how to handle a double-edged sword:the Justice Departments new r�������equirement that as part of corporate misconduct resol
262、utions,CCOs must certify the �����effectiveness of their compliance programs.If you wield that sword correctly,certification requirements could be quite useful.They will force compliance officers and CEOs to think seriously about what an effective compliance program for their corporation should be able t
263、o do and then to marshal the necessary resources to bring that plan about.Mishandle the sword,however,and you might end up skewered.What happens if you and the CEO disagree about the state of your compliance program?What data will you need to colle������ct(from across the en��������terprise and your third parties
264、)to satisfy the expectations of the Justice Department?Cou����ld CCOs face personal liability if their certifications dont hold up?Thats the challenge now facing compliance officers.Youll need deft moves and skill to prevail.New Expectations of Executive Leadership How Will You Prove and Certify Your Pr
265、ogram Works?The logic behind CCO certificationsFirst,we should step back and remember precisely what the Justice Department has d�����one,and why.The requirement is that chief compliance officers and their CEOs will both need to certify at the end of a deferred-or non-prosecution agreement that the compa
266、nys program“is reasonably designed and �����implemented to detect and prevent violations of the law and is functioning effectively.”So said assistant attorney general Kenneth Polite when he announced the requirement last May.The intentions behind program certification are laudable,at least.By forcing the
267、 chief executive and the CCO to certify the effectiveness of the compliance program,that assigns accountability to those executives.It������ drives the importance of a culture of compliance up the companys priority list,ideally to the top.Compliance program certification also helps the Justice Departments
268、 broader eff����ort to crack down on recidivist corporate misconduct and nurture a greater appreciation of corporate compliance.Those CEOs who might need to certify their program also tend to sit on the boards of other companies;that helps to spread the message in corporate boardrooms that strong compli
269、ance programs matter.Moreover,when the CEO and CCO have to sign their names to a certification under penalty of perjury,that does tend 39NAVEX the company declines?When do you quit,rather than oversee a compliance program you beli�������eve to be substandard?It will be years before compliance officers have
270、 answers to all those questi������ons,but even now,at the start of 2023,we can start t�����o answer some of them.Get better data,run better programs The immediate answer is that compliance officers need to work on building an effective compliance program in the first place,and then document why your program is
271、 indeed effective.Thats what the Justice Department will want to see if your company ever faces a government investigation:evidence that the program was de�����signed thoughtfully and works as intended.In that case,several specific capabilities become even more important:Ris������k assessments.Youll need to be
272、 able to identify new regulatory requirements and changes to your own companys operations,and do so swiftly.Youll also need the ability to test compliance controls.Key performance indicators for the compliance program.Youll need relevant KPIs,and an ability �����to track changes in those KPIs over time.D
273、ata analytics.This isnt simply about collecting data(from multiple parties,in multiple formats).Youll al���so need some way to turn that data into meaningful ������insights about program weaknesses,problematic transactions,risk exposure,and the like.Third-party due diligence and monitoring.Third-party risk b
274、ecame an even more pressing issue in 2022,after Russia invaded Ukraine and the West responded with sweeping,fast-moving sanctions against Russian persons.More broadly,as third parties play ever larger roles for corporate to focus the mind.Compliance officers a���������nd chief executives alike will want to c
275、onvey the importance of effective compliance throughout the whole enterprise,and build the systems,policies,and control������s necessary to meet that standard.So,one can see why,from the Justice Departments perspective,compliance program certification is a compelling idea.From the compliance officers pers
276、pective,of course,things look quite different.Facing new problems and perilsThe primary����� question for compliance officers is obvious:What h�������appens if you certify that your program is“reasonably designed and functioning effectively,”and the company subsequently suffers a compliance failure anyway?Right
277、 now,we dont know.The Justice Department only began imposing certification requirements in 2022.It might be years before an errone������ous certification comes to light and when it does,the Justice Department will evaluate that case based on th�������e specific facts at hand.Compliance officers wont have that lu
278、xury����.Youll need to certify your program without knowing what future scenarios might prove you wrong.Meanwhile,compliance officers will face other,more practical headaches along the way.If you and the CEO disagree over the health of the compliance pro�����gram,who settles that dispute?If you join a compan
279、y in the middle of a DPA or NPA,can you review or even redesign the pre-existing compliance program,if you believe it isnt up to standard?Can you ask for directors and officers insurance to protect you from possible legal costs?What if 40NAVEX organizations,you������r ability to manage their compliance ri
280、sks will become even more crucial.Internal accounting controls.Weak accounting controls are a perennial source of FCPA risk.Companies need to assess whether documentation and approval controls for high-risk payments are sufficiently strong,and for each tran�����saction they need to confirm that employees
281、 follow the rules.Aside from those program-specific needs,theres a larger issue here.Compliance officers will also need to forge stronger relationships with the CEO and the board.After all,the C������EOs signature will be next to yours on the certification forms,and the board is the ultimate source of ��������aut
282、hority for the organization.In a roundabout way,certification requirements could help propel your compliance program up the maturity curve,since CCOs should(ideally)have more influence with senior management.You can then reorien�����t corporate priorities toward that stronger culture of compliance.The go
283、od news is that most CEOs and boards already value a strong culture of compliance,at least in theory;and most other �����senior executives do too.In 2023 and beyond,chief compliance officers will need to leverage that abstract enthus�����iasm into demonstrable,vocal,tangible support for the compliance program
284、.Then,with luck,we wont need to worry about what happens to a CCO who signs a certification form that later proves invalid,because youll have that reasonably designed and effective compliance program in place.2023 predictionWe wont see a lot of chief compliance officer�����s certifying the ����effectiveness
285、of their compliance programs in 2023,but only because the Justice Department settles only a relative han�������dful of cases in any given year.Compliance officers will,however,need to have more frank conversations with their boards and senior management teams about investing in their compliance programs be
286、cause CCOs unease about personal l������iability for program failures wont be going away.Compliance officers will need to think long and hard about how to assess risk and measure the effectiveness of their programs;and what their red lines will be for when they leave a job rather than participate in buryi
287、ng a compliance failure.About The Autho�����rMatt Kelly|CEO,Radical ComplianceMatt Kelly is editor and CEO of Radical Compliance,a blog and newsletter that follows corporate governance,risk,and compliance issues at large organizations.He speaks and writes on compliance,governance,and risk topics frequent
288、ly.“Compliance officers and chief executives alike will want to convey the importance of effective compliance throughout the whole enterprise,and build the systems,policies������,and controls necessary to meet that standard������.”NAVEX 42Joining Forces with Learning and Development Will Improve Ethics and Comp
289、liance Education Building a strong workplac�����e culture where people actively think about how to do the right thing and then follow through in their actions is������ not something that happens organically.Rather,it is something that takes work and time.As we look to 2023 and beyond,it is clear that high-qual
290、ity,impactful ethics and compliance learning initiatives and communications will be viewed as paramount in the pursuit of a strong workplace culture.With this focus comes a recognition that learnin�������g and development(L&D)professionals are key players and will increasingly have a seat at the table and
291、help shape the direction organizations take.Their presence and expertise will help organizations create more powerful,impactful and ������effective adult learning and communication progra������ms.What is driving a greater recognition that L&D has unique contributions to make?Ethics and compliance(E&C)profession
292、als have long known the importance of educating the workforce in order to create and maintain a culture of ethics and compli������ance.It not only helps mitigate risk and reduce legal liability but also can help carry a message about an organizations own values and priorities.Whats more,these learning exp
293、eriences are among the BY:INGRID FREDEENVice President,Online Learning Content,NAVEX MEGAN TORRANCECEO,TorranceLe�����arningkey activities in the E&C program that reach each and every employee and in some cases external business partners as well.As E&C professionals have charted a path and developed more
294、 sophisticated learning programs in the past five years,ther�������e has also emerged a recognition that something more is needed to actually help shift behaviors and drive a culture forward.Ethics and compliance programs are now starting to recognize L&D professionals can help take their adult learning ed
295、ucation programs to the next level and help drive values throughout the organization.Though E&C learning has traditionally been the purview of the compliance�������� function,L&Ds influence can be the key in supercharging a culture of learning and growth.In fact,there is a growing collaborat����ion between the
296、two functions to brin�������������g together the knowledge of L&D professionals in how to make learning experiences more engaging,memorable and effective,and the subject matter expertise of E&C leaders.It is worth noting that not all organizations have the resources to staff a fully operational L&D function,and
297、smaller businesses may only be deploying the necessary E&C learning modules to maintain regulatory compliance.However,through partnership with����� consultancies,organizations of all sizes are still able to infuse solid principles of adult learning to enhance 43NAVEX engage each and every employee in the
298、ir organizations values.Compliance communications and the related learning experiences are among the����� few activities that actually reac�����h each employee on a regular basis and one of the best opportunities to drive knowledge and educate on expected behaviors.So,how does L&D fit into the picture?L&Ds ve
299、ry mission is to drive organizational perfo������rmance by increasing skills and knowledge and they have much to offer here.This is where a trained professional can help identify poorly designed or written content.Some of the most glaring issues they spot include use of ineffective gimmicks or gamificatio
300、n to mask poorly written content;disparities in design quality and consistency;poorly written questions that ask for regurgitation of a random fact����� rather than driving application of a lesson;and poorly de�������signed analytics that track results but dont really measure employee knowledge,retention or ris
301、ks.Learning and development professionals know,despite their functional title,providing opportunities for learning can positively influence employee behavior but alone it is not sufficient.the efficacy of their E�����&C programs.So,while the conversation about L&D having a seat at the table with Complian
302、ce inherently speaks to large enterprise organizations,all organizations can see similar results with strategic���� partnerships.For those organizations that embrace this emerging trend,L&D partners can help drive program improvements in three critical ways in 2023.Driving quality over purely cost-drive
303、n considerationsFirst,developin������g high-quality,effective compliance learning can be difficult,and many co���mpeting factors must be weighed in order to optimize a program.Further,there is a cost whether the organization purchases virtual learning modules or builds their own.However,one practice that is
304、increasingly becoming the norm is focusing on high-quality learning,and not just selecting the cheapest solution.This is becau����se when poor quality learning tools are used,it not only wastes valuable employee time,but it may also actually harm the overall quality and internal reputation of the E&C pr
305、ogram.We have observed in the past six months,L&D is increasingly at the table in organizations of a�����ll sizes.They are seen as a resource and skilled member of the team and are helping organizations make better choices with their budget.In 2023,this trend will most certainly grow in strength as progr
306、ams that got started early on this journey start to reap the rewards of a strong relationship with L&D and other programs see the value and engaging L&D as a resource.This shift is the direct result of organizations viewing ongoing adult learning not just as a thing they mu���st do,but rather������� as an opp
307、ortunity to 44NAVEX Creating a culture of learning that is employee-focused to drive better program resultsSecond,learning is not a“one and done”experience.A single course given once every handful������� of years is certainly better than nothin�����g,but messages and expectations sink in better when there is a
308、sustained and meaningful flow of communication and information.Further,the impact can be increased when learners have an opportunity to apply those lessons in real life.In considering any learning event,identify the real obj�����ectives and outcomes to be achieved.If the answer is to check the compliance
309、 box,its unlikely to influence the organizations culture.However,if the objective is to enhance culture through meaningful content,fo�����stering an environment that prioritizes ethics,respect and yes,compliance there is a much greater impact.If employees are at the center of these efforts(what they need
310、,care about,and can use)then the organization is already on the way to creating a learning culture.Organizations are embracing the concept o���f building a learning culture where meaningful and relevant opportunities to expand on skills and grow professionally are offered to employees.Also important to
311、 �������note,employees must be given allocated time and opportunity to utilize t��������hese resources to instill a true culture of learning.This includes covering important compliance-related content,but also learning opportunities that can enhance job performance and career growth.Learning events that are sandwi
312、ched in during ot����her high priority initiatives will not receive the desired time and attention.A great first step on this journey is to reframe the term“training”,the most used industry terminology,and instead focus on the greater goal:learning.The term“trainin�����g”comes with baggage frequently thought
313、 of as a boring,but necessary,��task or used as a punitive action when expectations are �������not met.“Training”is pushed onto people.Instead,many leading organizations are now talking about these efforts as learning,continued support,and skill building for career growth.“Learning”is what employees do as th
314、ey build skills and knowledge they can apply on the job.For this to work and permeate across the organization,its imperative that time is allowed for learning activities and that the co����ntent is high quality,rele������vant and engaging to the workforce.In fact,this entire article excludes the term“training
3����15、”in favor of terminology centered around learning and education.While this shift in verbiage may take some time and adjustment to adopt,it is an important step in creating a���� culture that embraces learning.One approach that is becoming more widely embraced is adaptive learning.This personalization of
316、 learning gives an employee a unique experience with course content adapting to what the employee already understands while providing more information whe����re the employee is struggling.The goal of this type of learning experience is to make it relevant to the learner rather than a waste of their time
317、.45NAVEX Another approach is self-directed exploration and skill development,including improving knowledge about compliance areas and risks important to yo�����ur organization.This will help strengthen important corporate values while providing benefits to your employees.It may also encourage employees t
318、o seek more challenging roles and opportunities within the organization.Another benefit for the organization,and the compl����iance function,are helpful metrics to share about the importance of compliance,not only within the���� organizations leadership but also to employees.L&D and E&C can work together to
319、 build a mutually reinforcing culture of learning and support each others efforts.Employees rarely differentiate between learning content that comes from E&C and learning co�����ntent that comes from their L&D teams or operational leaders.High-quality learning experiences from all sources contribute to t
320、he organizations overall messaging about the importance of learning and improvement.Driving for year-over-year program improvementsA third,and important,way L&D contributes to the overall success of E&C �����learning and communication programs is through their relentless focus on year-over-year program i
321、mprovements.This focus on improvement is aligned with similar concepts found in DOJ guidance,for example.As noted above,�����ethics and compliance learning is among the few compliance initiatives that impact each employee every year and these interactions often happen on a regular basis��� as new learning t
322、opics and������� communications are rolled out.When these interactions are viewed as two-way communication(sharing information with the employee,but also getting information back from them),organizations create an ongoing opportunity to learn from employees through performance metrics,feedback metrics,and
323、even follow-on effectiveness surveys.This informatio�����n is vital to identifying hotspots,areas that require additional time and attention,and making decisions about future investments all of which contribute to driving program improvements.When organizations are able to further combine these da�����ta poin
324、ts with other compliance data(such as allegations of misconduct,or policy attestations)this creates a new ������view of the organization and the effectiveness of its E&C program.Further,this also helps to identify locations that may be struggling or where misconduct may be������� more widespread than an isolated
325、 report.46NAVEX About The AuthorsIngrid Fredeen|Vice President,Online Learning Content,NAVEXIngrid Fredeen,J.D.,vice president,online learning con������tent,has been specializing in ethics and legal compliance training for more than ten years.She has been the principal design and content developer for NAV
326、EXs onlin�����e training course initiati�����ves utilizing her more than 20 years of specialization in employment law and legal compliance.Prior to joining NAVEX,Ingrid worked both as a litigator with Littler Mendelson,the worlds largest employment law firm,and as in-house corporate counsel for General Mills,
327、Inc.a premier Fo������rtune 500 food manufacturing company.Megan Torrance|C������EO,TorranceLearningMegan Torrance is CEO and founder of TorranceLearning,and has over 25 years of experience in learning design,deployment and consulting.Megan and the TorranceLearning team are passionate about sharing what works s
328、o they devote considerable time to sharing professional development in her field.Megan is the author of Agile for Instructional Designers,Data&Analyti�����cs for Instructional Designers,and Making Sense of xAPI.She is also a facilitator with eCornells Womens Executive Leadership certificate,and courses i
329、n virtual teaming,team leadership and communication.A talented L&D professional can help identify important data points and report on them so that programs can start(or even continue)the journey of making year��������-over-year improvements.L&D professionals leverage several solid models for learning experi
330、ence evaluation,covering everything from satisfaction with the program and comprehension of the content,to on-the-job behavior,business results and return on inves�����tment.Benchmarking compliance����� learning initiatives against an organizations other L&D offerings can provide valuable insights on where an
331、d how to continu�����e to improve.2023 predictionAs the world continues to adjust to the new norm������al and work is thought of differently than in years past,organizations will continue to evolve to meet the needs of the workforce wherever they are located.Organizations that can provide opportunities for per
332、sonal and professional development within a culture that embraces authenticity and learning will find that they enjoy better employee engagement,performance and retention.Learning and development,and������ ethics and compliance education will continue to influence and reflect the conversation about organi
333、zational culture.“Stay on the front foot,do not������� worry about heading in precisely the right direction,and simply start moving.”48NAVEX BY:KRISTY GRANT-HARTC����EO,Spark Compliance ConsultingShockwaves hit publicly traded companies in March of 2022 when the SEC announced its proposed rule that would require public companies to include certain climate-related disclosures in their annual reports and regis
sgpjbg002
工作日 8:30 - 17:30
报告分类
