What led you to start a compliance and ethics program?
Unlike a lot of organizations, we don’t have to worry about law enforcement. One aspect of the fact that adults don’t believe that I and my operation really exist is that they can’t arrest us or press charges without admitting to our existence.
So we’re safe that way. For us, forming a compliance and ethics program was really a matter of preserving our integrity. Over the last few years, we had noticed that a few kids on the naughty list somehow made it onto the nice list, and we decided it was time to get more programmatic in our approach.
Plus, Blitzen is always looking for shortcuts. That’s fine when we’re up in the sky, but in the workplace, it’s a nightmare.
How did you pick your first compliance officer?
We knew it had to be someone in-house who really got the culture. Elves take some getting used to. They live and breathe toy making, and if you don’t understand that’s all they care about, you’re totally sunk. Bringing in someone from the outside, no matter what his or her experience would have disaster written all over it.
In the end, we went with Rudolph. Turns out that nose of his is also a very strong moral compass. Plus, all those years not being invited to play in reindeer games gave him the independence we knew we needed. Rudolph wasn’t out to win any popularity contests.
Do you have all the elements of a traditional compliance program?
Mostly, but what we don’t have is a whistleblower hotline. For one, too many whistles up here. You couldn’t possibly differentiate the actual whistleblowing from product testing. Second, anything with the word “hot” in it doesn’t sell well at the North Pole. The snowmen and women were particularly opposed.
But, do you do things like training?
Absolutely, we have a full course curriculum that is risk-based, and to ensure rapid completion of the training, the group that finishes its training last gets a stocking with a lump of coal in it. That’s especially unwelcome since we’re working hard to go green. Well, green and red, but mostly green.
How do you determine what to train in?
We do a risk assessment each year in which we bring in the leadership of all the key stakeholders – elves, reindeer, Christmas tree angels, snowmen and women – in which they identify their key risks.
It’s an interesting process, since we get very different perspectives. The angels tend to take a very high-level point of view. Reindeer, because they’re really seasonal workers, have a deep but narrow focus. The snowmen and women are all about greenhouse gasses and global warming, for obvious reasons. For the elves, it’s safety first. Toy-making can be dangerous what with the rare earth minerals used in the electronic toys.
Anyway, we take it all in, and then Rudolph and his team identify the top risk areas. Everything cascades from there.
So was safety #1 on the list?
Yes, followed closely by privacy. While HIPAA and the new European GDPR don’t technically apply, we use them as guidance.
You see, we collect a lot of data up here. As noted, who’s being naughty and who’s being nice. Plus, when you are sleeping and when you’re awake. The pharma folks would love to have that data.
We don’t sell any of the data we collect, but we need to be careful as to how we safeguard it. We’re looking at a cloud-based solution, but given the time I spend flying through the clouds, I’ve got serious questions about the security.
Any other big risk areas?
Sanctions are getting to be huge, for obvious reasons. We’ve never been in real trouble, probably since the targets of the sanctions aren’t typically on the nice list, but you never know when regulatory winds may shift. So we have to watch the prohibited persons and entities list like a hawk.
Finally, where do you see compliance going over the next ten years?
I’m more into recording what happened over the previous year than seeing the future. Heck, if I could see the future accurately would I have nine million Beanie Babies clogging up my warehouse? Do you want one, or fifty for that matter? Raise another sore subject like that, and you’re looking for some time on the naughty list.
Just joking: ho, ho, ho.
Adam…have you been sipping on egg nog???
Thanks for an interesting and entertaining post.
I like Santa’s overview of compliance already. I have to guess his compliance program is more effective than many in that he has and uses auditing and monitoring where many have very little or none.
I mean…you must have your A&M element together when you can tell:
• who’s naughty and nice;
• when people are sleeping or awake;
• if someone has been bad or good; and
• who is naughty and nice.
I need to pick us some of his A&M tips!
I also like that he looks over his list at least twice as this way when he does his report to the governing body, he has checked to make sure it is accurate.
Awesome and entertaining as well as educational and enlightening, I need some egg nog too! Merry Christmas!
Glad you enjoyed it. We have to have some fun.
Count me in for some eggnog too! Very creative way to explain a compliance program.
We did something very similar for our Information Security Christmas video a few years ago – “Santa Gets Hacked” – http://www.youtube.com/watch?v=NYHKjoamLiw
That was fun. Thanks for sharing.
This is brilliant! Thank you for a good giggle as I’m elbow deep in issues!
This is terrific! Very creative. This made my Monday.
Also, please remember me on the nice list this year!
Good break from the often “over serious” work we do. Thanks, Adam!
Great piece, Adam! I’m curious to know about their gifts, travel, and entertainment policies.
Jim: They only give gifts and never receive them. And the value is always priceless.
Comments are closed.