Compliance Culture

Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Corporate takedowns: American Apparel

This is the first post in a series of four posts about corporate takedowns.  Today’s post is about American Apparel.  Next Tuesday’s post is about Theranos.  The third post on April 17 is about Facebook, focused on the recent Cambridge Analytica data sharing revelations.  The fourth and final post, on April 24, will discuss Gawker.

American Apparel was once one of the largest apparel companies in North America.  Founded in 1989, at its peak in the early 2010s the company had over 250 locations.  It was widely-known for its provocative, attention-grabbing advertisements and trendy yet utilitarian clothing.

However, after several years of not operating profitably and dogged by controversy courted by its founder, Dov Charney, and his attendant legal troubles, American Apparel filed for bankruptcy in 2015 and in 2017 was sold to the Canadian apparel company Gildan Activewear.  While the company’s manufacturing operations and headquarters were once based in Los Angeles, American Apparel is now an online-only retailer and makes most of its clothing, which is still touted as ethically-produced, in international locations.

READ MORE

Compliance challenges for start-ups in disruptive industries

In today’s fast-paced business world of innovation and advanced technologies, every company seems to offer the next in-demand disruption. Ever since the days of the dot-com boom and bust in the late 1990s and early 2000s, in the infancy of e-commerce and internet-based or networked products and services, companies have been striving to identify revolutionary items and ideas to market to consumers eagerly awaiting the next life-changing thing to buy. Start-ups in Silicon Valley and entrepreneurial communities all over the world want to develop the next iPhone that will transform every aspect of modern human life. Companies that provide services instead of making products all want to be the next Airbnb, the Uber of their industries, and so on.

But are those companies, and those goals of disruption for the sake of itself, anything to which companies should aspire? Companies in all business sectors are trying to emulate technology companies, and they may not be the best role models in terms of regulatory compliance, risk control frameworks, and business integrity fundamentals. Disruption and sustainability aren’t necessarily mutually exclusive, but many of the companies that were visible pioneers in the current wave of technological innovation and development cut ethical or foundational corners to focus on growth, sales, and branding. Companies in the new generation which seek to copy their success and single-minded commercial focus will run into legal and supervisory obstacles sooner rather than later, now that their predecessors have overstayed the honeymoon period of lax regulatory attention and are running afoul of legal, tax, and compliance concerns all over the world.

The start-up community’s response to public exposure of fraudulent or insufficient business practices – such as companies buying their own products to falsify sales success for partners and investors, or violating straightforward business operations rules like participating in mandatory state insurance programs to maintain company licensure – is to go on the defensive and blame the media. Worse yet, they want to claim stand-out corporate misconduct from their start-up peers are the exception, not the rule, and distance themselves from it, without doing any self-examination or risk assessment to feed-forward into their own continuous improvement.

However, the venture capital firms that are keeping these start-up companies striving toward their disruptive ambitions have a fiduciary duty to their funders to contain reputational risk that could stem from these companies’ public relations and legal problems. The “bad apples” theory cannot win the day in identifying why so much goes so wrong at so many start-ups that were once ambitious and backed by prestigious funders and now have failed, and are being sued by fraud, investigated for investor abuse, accused of forgery or inappropriate accounting practices, and have otherwise missed out on reaching disruption and instead fallen into disrepute.

In any business dominated by private companies getting rich quick, delving into areas which are within loopholes or blind-spots to current legal and regulatory enforcement agendas, transparency is the victim to innovation and doing things the right way, with respect to ethical concerns or compliance requirements that could pop up further down the road from the beginning, is subverted in favor of making money, attracting more investors, and bringing a product or service to market first and with the most attention. “Fake it till you make it” is a toxic approach to management and is no kind of leadership whatsoever. Ignoring legal and regulatory requirements cannot go on forever, as the many bans and service stoppages Uber has experienced in the last year well show. Companies may be able to grow quickly this way, but they cannot keep their business running or have much hope of holding onto their ill-gotten gains unless they tread carefully with regulators and supervisors from the start.

The cultural forces at work here are strong, and disconcerting. Founders with no experience as CEOs and even less experience as functional managers or ethical leaders are given millions of dollars by investors and pressured to be geniuses, redefine business and whatever it is they have to offer to the market in everything they ever do, and succeed at all costs. Liberties are taken, misrepresentations are made, and not every brilliant troublemaker with a crazy idea and a team of engineers turns out to be any good at actually running a legal, functioning, mature business.

The hope, supposedly, is that people will merely bend or flaunt the rules, and not break them, but who’s making the distinction? The moral hazard is great of creating an incentive for behavior that would even lead incrementally to a company that is not in simple compliance with the legal requirements for operating a business in the city, state, or country where it is located. Cautious onlookers assume that maybe if a few corners are cut at the beginning when things are small, it will all work out okay because by the time the company gets big, someone who likes paperwork or understands laws will stumble along and lend a hand. This is immature and short-sighted thinking.

Even if some philanthropic compliance officer did intervene, it would be too late to fix the cultural decay that grows at companies that do not have adequate business values and controls from the beginning. When people ask how it’s possible that business fraud and misconduct went on for years at some companies, or permeated every level of the organization seemingly without detection or interruption – this values void is the answer. To avoid a culture where cheating, misrepresenting, and making unethical decisions are all common, the foundations of the company must include cultural values where that conduct is expressly defined as unacceptable, and business governance structures to prevent, identify, and punish it when it happens.

For more on the challenges to ethical decision-making, and pitfalls for fraud and non-compliance, faced by start-ups, especially in the highly competitive advanced technology world of Silicon Valley, check out this article in Fortune from December 2016:  The Ugly Unethical Underside of Silicon Valley.

For further thoughts on the challenges that start-ups and emerging enterprises face with prioritizing compliance risk management, see this post on Tinder’s corporate culture and the role compliance can play in fostering professionalism in start-ups.  For practical tips, check out this post on compliance foundation must-haves for small businesses. And, check back next Wednesday, January 3, for a post on inexperienced (even if visionary) CEOs and the immature compliance cultures they cultivate by omission.

READ MORE

Compliance as both function and discipline

Compliance makes concrete and professionalizes the rules, regulations, and questions of ethics and integrity that are everywhere in life. It can be very absolute, used in creating a framework to ensure adherence to external legal and supervisory requirements as well as internal policies and procedures, to form a rules-based approach to risk management. It can also be more esoteric, probing the challenge between general norms and existing controls, and what may be morally acceptable or within individual expectations.

Considering the distinction between the function of compliance and the discipline of compliance is helpful to develop a more mature understanding of its applications in both modes. Compliance as a function creates frameworks, translates regulations and directives into internal policies and procedures, identifies program priorities, and plans management strategies. Compliance as a discipline takes all of these efforts to ensure awareness of, and steps to comply with, all relevant laws and regulations, and applies them directly to the business in order to target this work toward facilitating ethical decision-making, encouraging integrity, and positively impacting business strategy.

The function of compliance describes the general task of keeping up to date on rules and regulations and designing governance, risk, and compliance (GRC) management strategies and structures to present to senior management, executive boards, and outside stakeholders such as regulators and other supervisory bodies. This includes regulatory compliance, which ensures that organizations are abiding by both industry regulations and government legislation. This also includes designing governance and control structures intended to encourage employee and organizational integrity and create disincentives against and penalties for misconduct.

The discipline of compliance, on the other hand, describes the dynamic and business-linked support activities that the compliance professional undertakes within the broader context of the organization. Disciplinary compliance takes the above-described principles and frameworks and applies them in the business arena. This is where the rubber meets the road between the compliance officer and the business line he or she serves. In this setting, compliance is a relationship-based activity of providing advices, cooperating and aligning with other stakeholders and functional partners, suggesting defense strategies in light of real-time business risks and strategies, and maintaining an on-going bird’s eye view of the business landscape which can only be achieved by pro-active, personal engagement.

Building upon the above definitions and borrowing from the philosophy of ethics, the comparison could be made between the compliance function and normative ethics on one hand, and the compliance discipline and applied ethics on the other hand.

The compliance function links to normative ethics, in which moral behavior is compared to the norms of the social context in which the actions are taken, because of the emphasis in both on external or supervisory expectations and standards. Normative ethics is quite useful in identifying and categorizing compliance risks and suggesting possible mitigations and strategies for the ones that cannot be eliminated or are deemed acceptable to some extent. Within the function of compliance, the question of what individuals should or should not do, is answered by relevant laws, regulations, principles, rules, standards and codes of conduct, and other guidelines applicable to these individuals and the organizations in which they work.

The compliance discipline, in the meantime, can be connected neatly to applied ethics, which centers on the use of ethical theory in order to analyze and address actual moral issues that arise in work and life. Dilemma analysis and discussion, and compliance awareness dialogs, all borrow from the didactic constructs of applied ethics.   Building upon the structures and foundations that come from the compliance function and from the philosophy of normative ethics, the compliance discipline and applied ethics both are used to take these frameworks from strict requirements to living, practical considerations within the robust culture of compliance at the organization.

For more posts on types of compliance and ethics, check out some of these: Guiding principles for a compliance advisory practiceCompliance 101: A quick guide; The five branches of ethics as applied to compliance principles; How to make voluntary engagement with compliance values meaningful.  Posts each Monday, which are categorized in “Best Practices,” often address this sort of topic from both academic and practical perspectives.

READ MORE

Starbucks and cultural respect in design as business strategy

Starbucks is one of the most recognizable global retail brands today. Its branding is universally known, with its ubiquitous green and white mermaid logo reliably present worldwide and its slate of coffee and tea products also dependably the same. While many consumers may find consistent branding and the resulting quality standards to be expected along with it comforting, one of the undeniable criticisms of globalization has been that localization – native customs and characteristics that often have deep historic and cultural significance – can end up subverted in favor of international sameness.

Indeed, companies such as Starbucks have struggled in some markets to import their menus and store designs to communities which may be resistant to connecting with what can be seen as a generic, foreign experience. Apart from just lacking appeal or seeming strange, sometimes these companies can offend local norms or fail to fit into the communities which they wish to court for business. While sometimes novelty of a brand can create allure or even cult status for the company’s products with curious consumers, more often, Imposing a company and its products on a community in a non-assimilative way does not likely make for a successful competitive strategy.

Starbucks has faced its challenges importing its distinctive coffee shop brand and products to new communities over the years. Even within the United States, local coffee houses with loyal customer bases have put up resistance to a major corporate brand setting up shop in communities such as Venice Beach, California which have preferred small, local businesses to fit with an indie, alternative vibe. Outside of the United States, the powerful social value of “coffee culture,” representing a social and community activity rather than just a caffeine and snack break, has sometimes not jived well with perceptions of the Starbucks brand. Criticisms of the products themselves come from people who have high expectations for bespoke coffee that they don’t feel Starbucks satisfies or, on the other end, a standard idea that coffee is quick, cheap, and on-the-go only, in light of which Starbucks seems expensive and inconvenient.

One striking way that Starbucks can address these objections is to seek to fit within and contribute to the community authentically and meaningfully. In Kyoto, Japan, the Starbucks Coffee Kyoto Ninenzaka Yasaka Tea Parlor is an amazing example of how a company can demonstrate respect towards a community and its traditions in the design of its public spaces. This Starbucks is located in a traditional wooden house, with subdued colors and branding on its exterior, which fits aesthetically and culturally in the historic neighborhood where it is located. On the inside, the authenticity of the retail experience to its cultural environment continues, with tatami (straw) matting on the floors and traditional Japanese garden in the back courtyard by the coffee bar. Rather than appearing in contrast to the other businesses in its area, this Starbucks blends powerfully into its distinctive surroundings. Starbucks does not seem here like it is trying to impose its brand or style, but rather to show respect for the traditions of the very historic Gion district of Kyoto.

Joining the community in which the store is located, rather than setting itself apart from it, is a powerful expression of social responsibility and engagement for a brand to make as it seeks to attract and appeal to customers. Matching with the experience and aesthetic of such a distinctive area as Gion, which was originally developed as a district in the Middle Ages and is one of the most well-known geisha districts in Japan with the Yakasha Shrine at its center, is a challenging but inspiring business strategy. This values-based approach to growth and design leads to sustainable expansion and competition for a brand such as Starbucks, which can benefit tremendously from positioning itself as sensitive and loyal to local communities and their characters.

For more on this interesting Starbucks outlet as well as Starbucks locations in other countries that aim to honor their communities with their design aesthetic, check out this CNN feature article.

READ MORE

Round-up on counterfeiting of consumer goods

Counterfeiters have existed for time immemorial. Ever since the concept of value was introduced by exchange of money and the idea of authenticity or identity first became established, fraudsters have aimed to produce fake money and forged documentation. Following the counterfeit money were unauthorized copies of the products that the money could purchase, a trade which has become ubiquitous and sometimes even represents a larger market than that for the authentic item.

With the spread of globalization, a diverse range of counterfeit products are sold and bought all over the world. Sometimes this is without any attempt by the seller to deceive, with the fake product offered to a consumer who willingly buys a bootleg or replica copy. Others are to customers who think they are purchasing the real thing, often from a very expensive or luxury brand or of a very popular and desired item.

No matter the intent behind the transaction, commerce in counterfeit items is growing all the time and presents many dilemmas for corporate investigators and law enforcement in identifying the fraudulent practices and protecting both brands from this illicit trade while preventing consumers, wittingly or otherwise, from engaging in it.

  • Most of the world’s counterfeit items are produced and manufactured in China – enough so that the trade in these fraudulent goods is a $400 billion industry, by some accounts representing as much as 10% of China’s GDP. This is a striking paradox, as many authentic items such as Nike shoes and Apple iPhones are produced practically alongside knockoff versions of the same. While the traditional logic is that counterfeit goods are part of the assumed risk of doing manufacturing business in China, corporations are actively trying to take control via clever action against fraudsters. Brand protection efforts include hiring private investigators to find and seize fake goods and try to navigate the complicated, labyrinthine underground of the Chinese counterfeiting industry:  To Catch a Counterfeiter
  • South Korea has joined China as one of the major world centers for counterfeit activity. However, unlike many of the goods which come from China, which are low-quality replicas that make unconvincing fakes to the educated consumer, the market in South Korea is knowingly demanding for “copycat brands.” These consumer desire is driven by the prevalence of streetwear fashion which replicates items worn by celebrities and seen on the internet from brands which are not easily purchased or even available in South Korea. In order to answer customers’ requests to be up on these global trends, counterfeiters are making high-quality fakes to sell to the fashion savvy who might not even care whether their items are real, as long as they are able to access the desired style:  Why South Korea Is the Home of Counterfeit Culture
  • More than what’s in a name – what’s in a set of parentheses? For years Costco has sold rings advertised on their in-store signage as “Tiffany” rings. There is no affiliation between the rings sold by the wholesale giant and those available at the specialty jewellery retailer Tiffany & Co. While Costco made no claim that it was selling imitations of the Tiffany & Co. rings, Tiffany alleges that calling the rings “Tiffany” on the signage was a false identification, and that consumers could have been misinformed and mistakenly purchased the rings believing they were Tiffany & Co. A judge has ruled that Tiffany is entitled to almost $20 million in damages and interest from Costco for this marketing scheme, indicating that “Tiffany” is not to be used a generic term to describe the setting of a ring to consumers, as Costco alleged it was intending to do:  Costco owes Tiffany more than $19 million for selling counterfeit rings 
  • Counterfeit goods in the apparel market are well-known, everyone having seen before the ubiquitous fake Louis Vuitton and other designer bags that brands have been fighting against for years. Another area in fashion where fakes are becoming prevalent is makeup. The black market in the beauty industry is growing all the time, with counterfeiters making and selling popular products to satisfy demand when the real ones sell out quickly, aren’t available in certain markets, or are highly priced. The safe and hygienic production of makeup is a very complicated business, involving health standards, inspections, and scientific processes, which fraudsters do not typically invest time or money to replicate along with the products. Consumers having gotten sick and injured from using these fake makeup products which are often ordered online or bought in the discount shopping districts where knockoff handbags used to be the main fare. Especially concerning is that many people purchase these fake cosmetics in bulk, to fraudulently resell online as the real thing or to use on unsuspecting clients as makeup artists:  We Went Inside Beauty’s Black Market & It’s Worse Than You Think
  • Equally concerning to consumer protection and safety as fake cosmetics is the growing prevalence of knockoff wine. The Chinese market is participating in rising prices and demand in a hot retail wine market, for auction buyers, home drinkers, and restaurant suppliers alike. Along with these eager buyers, as always, come the sellers of counterfeit and contraband products. Fake imported wines abound in China. On high-ticket wines, empty bottles of the real thing are actually sold on the black market and then re-filled with fake wine to be sold to unaware purchasers. Aside from damaging the high-end market with a flood of counterfeit wines, there are also concerns for the average consumer. Sometimes dangerous ingredients and chemicals are added to cheap wine to change the color or taste in order to fool consumers, who can then get sick from the doctored alcohol:  China Is Facing An Epidemic Of Counterfeit And Contraband Wine

Companies and governments worldwide are doing their most to crackdown on the illegal production and manufacture of counterfeit goods, and to prevent the sale of these products to consumers. This is an effort which requires international cooperation and a constant pursuit to stay up to date in the counterfeiters’ methods in order to attack and prevent their attempts. Consumer protection and brand value to corporations are both at risk in the continued spread of these illicit practices and products.

READ MORE

Communication strategies for increasing employee engagement in compliance programs

Every compliance professional’s strategic annual plan will include seeking increased employee engagement in and attention to the organization’s compliance program. Communication strategies must be carefully devised with the goal in mind of making compliance vivid and interesting to employees. The compliance message can quickly become routine and dry: sign an attestation, request pre-approval, complete a checklist. This sort of messaging alienates employees rather than engaging them. They have only a small function in the compliance operations this way. Nothing is learned or shared, they are just doing a “tick the box” type exercise.

Instead, the true aspiration of the compliance messaging is that employees take interest, learn something new, ask questions, and feel connected to the story of the organization’s compliance program. This is accomplished via effective and appealing communication that speaks to all audiences and sets a new, compelling tone.

  • Key moment messaging: Compliance is highly relatable to current events and new stories. Therefore compliance communications should take full advantage of key moment messaging opportunities. Relate communication topics to outside events to make the objectives of the compliance program even more concrete. For example, if there is a major earthquake somewhere in the world and your office is located in Southern California, take that opportunity to engage with employees about disaster recovery and business continuity policies and procedures. Their interest will already be heightened and the necessity of the information will be at its most tangible.
  • Positive reinforcement: Start with a kudos, congratulations, or positive sentiment. Any action that needs to be taken or improvement that needs to be made based upon the communication will be much better received if the message gets off to a welcoming start. Set a productive tone by thanking employees for their participation in the last request or calling out good insights or high engagement. Then build off that encouragement to bring in the next steps needed and issue the call to action.
  • Branding: Branding and marketing are now important considerations across all business lines and functions. Compliance is not immune to this, as messages from so many sources fight among themselves for precious attention and airtime from employees. Therefore compliance professionals must carefully consider branding options that will maintain the substantive content of their communications yet be adequately branded to be appealing. Using humor or a catchy, fun theme to introduce the communication, before getting to the meat of the message, can provoke curiosity and prompt engagement. Don’t take it too far and make it a joke – but a little bit of amusement can go a long way.
  • Give visuals/shortcuts: On a similar note, think about making simple takeaways from the communication, however complex its overall message. One way to do this is to provide a visual, like an example of a new form that has to be filled as standard procedure, or a chart showing results on an initiative over previous periods and projected future results. If a visual is not applicable, try using acronyms or slogans that will work as mnemonics to help people remember your message and keep the meaning in mind.
  • Make it interactive: The best way to engage employees in compliance communications is to concretely incorporate them in it. Make the messages interactive for them. Ask an open-ended question and promote any responses received so that employees know the request for input is credible. Take a poll or offer a quiz. This way, employees can share in the mission and the effort by weighing in themselves, which allows them to personalize the message and be more likely to remember it.

To interest and appeal to all employees, compliance communications should not be generic or routine. Taking advantage of opportunities to make compliance relatable, and capitalizing on human interest or emotional connections that can be made, will help to make the mission of the compliance program much more interesting and effective.

READ MORE

Patagonia’s social responsibility and targeted political engagement as corporate values

The famous outdoor industry retailer Patagonia has a bold and defining mission statement: “Build the best product, cause no unnecessary harm, use business to inspire and implement solutions to the environmental crisis.” In this, a company which makes its profits off selling products to people who wish to explore and enjoy the outdoors has linked its strategy, growth, and indeed reason for existing, to respecting and protecting that environment. Patagonia’s reputation has been cultivated in the public eye to carefully coincide with this intention.

In recent times, however, Patagonia has grown much more quickly than its previously modest expectations, pursuing revenues wherever consumer demand takes the company and stepping up their competition. This has been driven largely by the fact that consumers who have an affinity for the environment and its protection also, logically, are interested in driving their spending power toward companies that they feel share this value. Millennial customers are highly motivated by companies which model social, cultural, and, especially relevant in the case of Patagonia, environmental values. With the vast array of consumer choices that the retail industry offers, both in products and in outlets to purchase these products, cheapest price or easiest availability is no longer the only or the loudest driver of buying power.

Patagonia has hereby achieved the special mix of corporate ambition and conscience. The company is not just an outdoors products retailer, though it still may be thought of as that by many. Instead, it has grown into a green venture capital fund, a food producer, book and film publisher, and a political activism organization that is willing to take on the US government on environmental protection and conservation causes.

Being a company that believes in something, and being rewarded with consumer loyalty, interest, and purchasing power for it, is a powerful message for compliance programs. Creating a serious, genuine corporate image based on values and then selling that image to customers as much as any other product is a huge ambition and a dynamic identity for the organization. Companies must develop corporate cultures which drive what they do with a specificity beyond pursuing sales and dominating product markets. They must recruit leaders who embody this, reinforce this honestly with their employees, and offer integrity in this message to the consumers who will trust them with their loyalty in return.

Hereby, companies such as Patagonia can become not only revenue leaders in their industries but also corporate role models to their peers and competitors. While seeking to directly motivate positive change at the publicly traded titans of industry may be biting off too much to chew, organizations can grow themselves strategically so that their own corporate impact is bigger and better.

In Patagonia’s case, relying on direct-to-consumer business via their own stores and website means that they can take their growth and values ambitions directly to their customers and feed-forward based upon the reception they receive. This is a powerful engagement opportunity for a brand and building a political and social consciousness that is informed by it means that the company can shape itself into the type of organization its customers admire and with which they want to be associated. While Patagonia cannot force political action or change at the highest level on its own, as a company it can be forward-looking and progressive in a time when its consumers appreciate and desire these values. Hopefully, Patagonia can also be an example to other companies to raise the competitive standard for corporate cultures and relevant, genuine social responsibility as a core business value. If that is effectively accomplished, then productive change for the collective can be well within reach.

For more about the power of Patagonia’s corporate social conscious, check out Abe Streep’s story on Outside Online.

READ MORE

Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible

READ MORE

Round-up on the ethics of the Internet of Things

The Internet of Things refers to physical devices which are inter-networked and can share and store data between themselves. This includes things such as televisions, cars, buildings, and other objects that have network-connected technology inside that allow these objects to be accessed and controlled remotely via computer-based networks. This also includes systems that operate in this way, such as smart homes, grids, and cities. These things can be identified and operated individually but also are part of the interconnected system and can have co-dependencies.

There are obvious ethical issues with a highly connected and complex system such as the Internet of Things, where tremendous amounts of data are stored and shared and ultimately used in often mysterious or unclear ways – certainly to improve the intelligence of the Internet of Things and make it operate more efficiently, but also potentially for malicious or dishonest purposes.   Security vulnerabilities in a system which is remotely accessible are also an alarming risk, as unauthorized intrusions or destructive attacks could render everyday items such as cars or door locks inoperable or turn items such as smart houses or transportation networks against their users.

  • The technology that drives the Internet of Things has grown explosively, and legal and compliance frameworks have not been able to keep pace. Questions of liability that arise from cyberattacks on the Internet of Things and rules of responsibility governing companies working within this space are largely undefined. The Internet of Things may bring change to society similar to that of the Industrial Revolution. A thoughtful view on regulations and ethical guidance to protect privacy and security from the earliest design point in the industry is crucial: The Internet of Things Needs a Code of Ethics
  • Among all the fears of artificial intelligence and sentient, unfriendly robots with autonomous weapons, the real risk of the Internet of Things will still lie in the hands of humans. Hackers are a big threat to the system’s security and this risk must be taken seriously, with organizations investing in controls to prevent and mitigate attacks, intrusions, and disruptions that could damage devices, harm people, and interrupt business operations: Why Hackers Will Become a Significant Threat to the Internet of Things
  • The data produced in the Internet of Things is a major security and privacy consideration. Users of these interconnected devices may not realize how much information the devices have about them and their activities. The Roomba, a small robot home vacuum, was an early-comer to this market. The company that makes it, iRobot, has said it hopes to make money from selling maps of users’ living rooms to other companies. Using customer data for profit from a third-party is nothing new in the internet company world, but there are many questions of privacy, notice, and consent which remain to be answered: The Internet of Things is a data farm, Roomba won’t be its only profiteer
  • Cybersecurity fears about the Internet of Things extend to the U.S. government as well, where legislators have proposed to make sure that smart devices can receive security updates like traditional computers. Lawmakers also seek to prevent manufacturers from hard-coding passwords into their system tools that can be manipulated by hackers to take control of the related devices. The U.S. government is just as interested in the objects of the Internet of Things as consumers are, and safeguarding against present and future risks from them is top of mind: Two U.S. lawmakers think the government has a new cybersecurity problem: The Internet of Things
  • So what does all this mean for the future of the Internet of Things? Will the risks of it slow its growth or it will it continue to advance in both complexity and connectivity, its risks unchecked or outpacing the frameworks created to control against them? It appears likely that the value and appeal of connection, and the fear of not being able to function and communicate, will outweigh the desire to want to withdraw from it for safety and privacy purposes: The Internet of Things Connectivity Binge: What Are the Implications?

The intelligence and complexity of the Internet of Things will continue to grow as consumer applications become more in demand and commonplace. The need for strong security standards and clear customer protections will expand in kind. Privacy, safety, and control are all ethical concerns which compliance programs at the companies working on the Internet of Things will have to consider prominently in future risk assessments and strategic plans.

READ MORE

Selected lectures on dishonesty and mistrust

In a follow-up to last Friday’s collection of videos on honesty and trust, now the polar opposite, dishonesty and mistrust. It is equally important to understand the motivations behind unethical behaviour as it is to have a view of the reasons for good behaviour. Unsurprisingly, most often these impulses are intimately related. Dishonesty, for example, is encouraged when individuals do not see trustworthiness as an important measure of success or character. On the other side, giving trust is very difficult when credibility has not been established.

  • How to spot a liar (Pamela Meyer) – Lying is not always motivated from a desire to be actively dishonest. It can be automatic, implusive, or even motivated by altruism, insecurity, or curiosity. However, it is always deceptive. Understanding the “tells” that people give when they are being dishonest is important in remaining alert and checking for credibility before giving trust.
  • How to Spot Liars at Work and How to Deal with Them (Carol Kinsey Goman) – Also in the domain of reading people’s non-verbal cues to detect their dishonesty, there are signs specific to the workplace that someone is not trustworthy and dynamics of co-working or being in a team setting that may make people more likely to lie. Identifying when colleagues are lying and understanding why can be a management technique if this is applied to trying to create a tailored environment that will protect and reward honesty. Successful leaders will communicate clearly that they expect their employees to be truthful and will measure honesty and ethical decision-making as part of their performance.
  • The truth about dishonesty (Dan Ariely) – Self-betrayal and the rationalization it provides are major motivators of dishonest behaviour. Intrinsically, people lie and break promises to themselves in every dishonest act they do, because they are overriding their own ideas about right and wrong to give themselves permission to proceed. In this way individuals persuade themselves to ignore their conflicts of interest or flaunt what is socially acceptable because they have deceived themselves into thinking their behaviour is necessary or justified.
  • Why we think it’s OK to cheat and steal (sometimes) (Dan Ariely) – Behavioural economics goes further even than the above, to suggest that people do not always have to actively be dishonest to themselves to be deceptive to others. Possibly, people actually think lying or behaving immorally is acceptable because cultural norms often tolerate and dismiss “minor” dishonesty. Situational context, intuition, or heuristics can be very powerful and override the individual’s obligation to question or consider right from wrong. All opinions about moral behaviour should be thoroughly challenged in order to avoid relying upon false assumptions.
  • The future of lying (Jeff Hancock) – In scenarios such as taking an exam with the opportunity to cheat or filling out a form with the possibility of misstating information, moral reminders of individuals’ legal or social obligations to tell the truth have proven effective in curbing dishonest choices. Could technology and the internet, influences in our society which seemingly have made the truth ever more remote, actually discourage lying by making people’s statements and representations permanent and searchable? Perhaps the accountability of the internet to record everyone’s personal records can encourage them to avoid discrepancies by resisting dishonesty.

Causes of, and rationalizations for, dishonesty and lack of trust are everywhere in both business and life. Because of how common these forces are, it is important to recognize and understand them, so that individuals and organizations may contribute positively to working against their influence.

READ MORE