The components of strong
cybersecurity plans, Part 3:
Mark Lanterman (page 27)
» Maturity assessments lay the groundwork for
cybersecurity programs and allow management to
establish desired improvement in comparison to
» A security assessment helps establish security
governance by providing an independent check on
information technology staff, increased awareness
of security risks and threats, and prioritization of IT
spending for the purposes of risk mitigation.
» A security audit focuses on the completeness,
design, implementation, and efficacy of internal
» Vulnerability scanning is an ongoing process in an
organization that is both offensive and defensive
depending on its use.
» Ultimately, a penetration test is only a fraction of
developing a strong cybersecurity plan. However,
these tests are frequently needed for compliance with
regulations that set the minimum requirements for
A three-year mapping effort:
Focus on compliance
Charlotte D. Young (page 33)
» Compliance programs are subject to mission drift.
» Having a clear 3-year plan will focus your limited
resources on your highest priorities.
» Use the planning effort to stretch your goals for success.
» Once set, with metrics for success in place, use the plan
for day-to-day operations, as well as for clear reporting.
» The plan provides a focus when new ideas or new
The foundations of your
compliance program: Keeping
your regulatory library spinning
Barbara Boehler (page 41)
» Identify the laws and regulations that you are beholden
to—across all of the jurisdictions in which your
» Conduct a thorough assessment of current
processes, staff, and practices relating to regulatory
» Recognize that as your firm grows in size and
complexity, so may your need for additional regulatory
» Consider the merits of using a third party to help build
out your regulatory library and operationalize change
through the ingestion of content or the implementation
of software—or some combination of both.
» Acknowledge and take some comfort in the fact that
no one firm’s compliance program is perfect, and like
everyone else’s, it is an ever-evolving process.
Defining, mitigating, and
reducing harassment in
Julia Méndez (page 45)
» Read about what the Equal Employment
Opportunity Commission describes as harassment.
» Understand which employees are protected
» Examine several recent settlements involving
harassment, and learn how to deter that type of
behavior at your place of employment.
» Learn to be proactive in teaching employees about
anti-harassment policies is an important step in
» Read about tips for writing an anti-harassment
policy that can give clear instructions to employees
on the definition of harassment, steps to take
to report harassment, and consequences
Preventing corruption in
A very different game, Part 1
Duncan McCampbell (page 53)
» Multinational companies (MNCs) must take a
different approach to compliance when they are
operating outside of their headquarters country.
» MNCs under-resource and under-emphasize both
domestic and foreign Compliance functions for a
variety of reasons.
» U.S. laws prohibiting foreign corrupt practices place
western MNCs at particular compliance risk.
» The approaches currently used to prevent foreign
corruption are of dubious value.
» A new, more culturally engaged approach to foreign
corruption prevention is required.
Code of Ethics’ introductory
letter: Importance and key
Eridona Brahaj and Adroher Pastor,
» A meaningful introductory letter comes from the
strictest corporate intimacy.
» The Code of Ethics can help make a public
message of the tone at the top.
» These core documents sustain momentum of the
» The letter can fortify the organization’s reputation
and shared values.
» It is a chance to engage employees and
stakeholders with the corporate culture.
Key compliance concerns
Mónica Ramírez Chimal, (page 65)
» Cybersecurity, virtual currencies, and social media
are pushing to add a new skill to the compliance
officer’s profile: be an expert in technology.
» Money laundering and terrorism are themes
repeated in the agendas of many regulatory
agencies. Why? Because both keep growing
» Know not only your third parties, but also
employees and customers in detail. This will help
you to minimize the occurrence of modern slavery
» Unethical behavior is expected to increase. It can
be deterred by reinforcing principles and values.
» The Compliance area must be positioned within
companies. It should prove its effectiveness and
also be accessible, humble, and able to lead
What the GDPR means for
Steve Durbin (page 71)
» Prepare in advance. Don’t delay until May.
» Understand the legal requirement and the
penalties for non-compliance.
» Assign a data protection officer with the expertise
and time to field requests.
» Get an immediate handle on your data. What
you are collecting? Where is it coming from and
stored? Who is responsible for it, and who has
access to it?
» Take responsibility. Don’t expect government and
regulators to help.
Compliance developments and
concerns for 2018
Rebecca Walker (page 73)
» In 2017, we saw a number of important
developments in the field of compliance and
ethics, including on the international stage and
in the US.
» A number of countries have adopted or begun
the process of adopting deferred prosecution
agreement schemes in the past few years—a
trend that is likely to continue in 2018 and beyond.
» One of the more salient aspects of recent guidance
from the US Department of Justice is the increased
focus on the authority of the Chief Ethics and
Compliance Officer and the C&E function.
» The recent sexual harassment scandals and
leadership failures seem likely to lead to increased
focus on how C&E can best foster appropriate
behavior in organizational leaders.
» These scandals and failures will likely lead to
renewed focus on cultivating speak-up cultures,
improving non-retaliation policies, and creating
an anti-harassment and anti-bullying culture
January 2018 Takeaways
Tear out this page and keep for reference, or share with a colleague. Visit corporatecompliance.org for more information.
Compliance & Ethics