+1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 77
The components of strong
cybersecurity plans, Part 2:
Mark Lanterman (page 27)
» Maturity assessments lay the groundwork for
cybersecurity programs and allow management to
establish desired improvement in comparison to
» A security assessment helps establish security
governance by providing an independent check on
information technology staff, increased awareness
of security risks and threats, and prioritization of IT
spending for the purposes of risk mitigation.
» A security audit focuses on the completeness,
design, implementation, and efficacy of internal
» Vulnerability scanning is an ongoing process in an
organization that is both offensive and defensive
depending on its use.
» Ultimately, a penetration test is only a fraction of
developing a strong cybersecurity plan. However,
these tests are frequently needed for compliance
with regulations that set the minimum requirements
for cybersecurity programs.
Don’t sing the misprision blues:
A little known compliance risk
Daniel Coney (page 33)
» Misprision of a felony is a little known criminal statute
that is often used as a “lesser offense” plea tool
and represents a compliance risk, particularly when
dealing with third parties.
» Misprision is in a family of offenses related to
obstruction of justice and is a close relative to the
charge of accessory after the fact.
» The elements of the crime involve both knowledge of
a crime committed by a third party and some attempt
at suppression or concealment of the crime.
» A lie (commission or omission) that tends to hide
the fact that somebody else committed a crime,
particularly if it protects one’s interests, puts
a person in the crosshairs of a prosecution for
» Your risk planning and compliance training should
be thinking about how market factors, profit motive,
and individual motivations can lead to the temptation
toward misprision, and how to mitigate that risk.
Get the most out of your
Steve Shoop (page 39)
» Establish your committee formally with
» Use your compliance risk assessment to assemble
the right skills on your committee.
» Get committee members the information they need
in order to allow them to contribute at the meetings.
» Have a compliance plan and share it with your
committee at every meeting.
» Always show the committee how its work helps to
achieve compliance plan goals.
Caught doing the right thing
Marjorie Maier (page 43)
» Breaking down prior cultures or perceptions is
very hard work, especially where Compliance
is viewed as the police, speaking up gets you
nowhere, and making errors and admitting them
results in disciplinary action or worse.
» All organizations are made up of people, all with
experiences and perceptions that they bring
with them from previous employers and their
respective compliance cultures.
» If an employee’s self-reported error brings to
light a systemic risk or a manual process fraught
with potential for error, and the employee helps
develop an improved automated process, we
want to recognize that employee.
» Many of those who were recognized would not
otherwise have an opportunity to sit down with
our CEO for a one-on-one conversation in a small
group. None of this effort to catch people doing
the right thing was particularly expensive.
» This is how we can effectively mature a culture of
compliance, by rewarding the behaviors we want
and broadcasting the message loudly and clearly
across the organization.
FBI Compliance Academy:
My blink experience
Walter E. Johnson (page 51)
» The relationship between the Society of Corporate
Compliance and Ethics and Federal Bureau of
Investigation provides ethics and compliance
officers the opportunity to learn about the
» The FBI Academy in Quantico, Virginia, is a
demonstration of the FBI’s commitment to training
agents to be ethical leaders who demonstrate
integrity in their decisions.
» Presentations provide attendees with the FBI’s
perspective on current events.
» Desired results are accomplished by following the
principles of ethical decision-making.
» Time pressure increases inaccuracy in making
Will compliance become the new
Yaron Hazan (page 57)
» Industry-driven standards raise the bar of
compliance even higher than regulatory scrutiny.
» No identified breach does not mean your
organization is compliant.
» Risk assessments are important but will not tell
the complete story.
» Culture is the basis for appropriate behavior.
» An effective compliance program is one that
would pass the investigation test.
Non-financial audit in a corporate
Robert Purse (page 63)
» Business is nothing but a trust chain.
» Non-financial audits are central to effective
compliance and corporate governance.
» Non-financial audits, like statutory financial audits,
must be conducted honestly, objectively, and with
» Good planning, preparation, and monitoring are
crucial to successful non-financial audits.
» Non-financial audits should be integral to the
processes and systems that underpin effective
compliance and corporate governance.
Social media: Steps to
mitigate the most dangerous
Cameron Jackson (page 67)
» Enterprises must understand the potential outcomes
of social media risk and the effect that it can have
on their strategy, brand, and bottom line.
» Take the time to create a social risk triage plan to
properly identify and address social risk protocols.
» Actively monitor your social brand mentions to
ensure that you understand public perception.
» Have a pulse on the activities of your critical partners
and vendors; consider contractual preventive and
» Educate your employees on the importance of social
presence and professionalism into the “always-on”
ISO 37001: Checking the box on
Ramsey Kazem (page 71)
» ISO 37001 was a welcome development, as it
provides a universal framework for managing bribery
risk that can be used by organizations of all sizes,
industries, regions, and risk profiles.
» A unique feature of ISO 37001 is that an organization
can demonstrate compliance with the standard
by obtaining a certification from an independent,
» Critics of the ISO 37001 certification fundamentally
misunderstand the mandatory requirements of the
standard and the thoroughness of the certification
» An organization can only achieve ISO 37001
certification with documented evidence that the
standard’s mandated policies, procedures, and
process are implemented and followed.
» The ISO 37001 certification provides an objective
means by which an organization can demonstrate
that its anti-bribery management system conforms to
international best practices.
Compliance & Ethics
Professional December 2017 Takeaways
Tear out this page and keep for reference, or share with a colleague. Visit www.corporatecompliance.org for more information.