This is a transcript of the podcast Denis Jacob charts a path through regulatory uncertainty for healthcare, Denis tells GRIP’s US Content Manager Julie DiMauro about what compliance can and should do in times of regulatory uncertainty and the details around data, supply chains and third-party risk we should keep top of mind.
Julie DiMauro: Greetings everyone, and welcome to a Global Relay Intelligence and Practice, or GRIP, podcast.
I am Julie DiMauro, the US Content Manager for GRIP, talking to you from New York City.
GRIP is a service that features a daily website of articles on a variety of compliance and regulatory topics, plus podcasts and other deep dives into compliance trends and best practices. You can find the service at grip.globalrelay.com, and we hope you’ll connect with GRIP on LinkedIn.
I am so pleased to announce that today’s podcast session features Denis Jacob, ethics and compliance business partner at medical equipment manufacturing company Harry Schein. I’m going to ask Dennis to please introduce himself and describe his background before we kick off the program. Over to you, Denis.
Denis Jacob: First of all, thank you for the invitation. A pleasure being here with you, Julie. So I’m sure there’s going to be a great conversation. Before I introduce myself, I just want to make a quick disclosure. Say my words today are on my own behalf. I’m not speaking on behalf of Henry Schein, but I’ll be able to tell a couple of things about my own experience and some learnings I had along the way.
All myself, so Denis Jacob, bit over 20 years of experience in compliance and risk management. I’ve been in both the internal audit side of things and compliance. I pretty much worked most of my career in healthcare, both in medical device companies and pharmaceutical organizations as well.
And my experience is pretty global. So I’m originally from Brazil, so did a lot of work in Latin America, been living in US for about a decade now. Like I serve global organizations and manage teams like all the way from Mexico to Australia, including all the different countries in between. So really, really a pleasure to work with my colleagues around the globe.
Julie DiMauro: Thank you so much, Denis. All right. Let’s jump right in. Let’s get into the weeds about third-party risk management in healthcare. For starters, what are the biggest challenges here, the outsourcing risks that truly keep you up at night?
Denis Jacob: Well, there’s quite a few there, like, and there are domains, they’re very fluid, so they keep coming and going. But I would say the three top ones that come to my mind right now, definitely anti-bribery anti-corruption is one of them. We cannot avoid talking about this topic when we talk about third-party risk management.
The other one, which is the topic of the moment, I would say, is cyber. So cyber security is definitely a topic, not only for third parties, but definitely for third parties as well.
And the third one is about human rights and forced labor. So I think those three topics, those three risk domains, so different in a way, but at the same time with some elements in common and impact third-party organizations and healthcare organizations as well.
Julie DiMauro: Absolutely. And we’ll take a deeper dive into each of those in a little while. Third-party related risks have been in the compliance officer’s radar screen for quite a while now. And how have companies tried to address this and what should they be doing differently to manage these risks effectively and maybe more efficiently?
Denis Jacob: Well, that’s an interesting one, because each one of those risk domains, they became more prevalent at different times. The organizations, the way they’re organized, most of them, of course, make a general statement here like they start addressing the risk separately. So let’s say about anti-bribery anti-corruption, so about maybe 15 years ago, a big wave of FCP enforcement companies started putting together compliance programs, and they started addressing that through the compliance department. Now cyber is a more prevalent one, like now you have the CSO organization or the IT organization trying to address this, and then you have human rights.
So when I’m trying to say all those risk domains emerge at different times, and companies a lot of times don’t have a coordinated approach to address those risks, which creates both inefficiencies and sometimes an ineffective process as well.
So trying to be a little bit … have a little bit of empathy for the third party, so if you’re on the other side of the table, you’re getting all those questionnaires, all those questions about this and that. Like the whole process becomes sometimes very duplicative and sometimes redundant.
To the extent that companies can start looking at third party risk management as a more holistic approach, I think that will be definitely more beneficial from the process standpoint, but also to make sure we’re managing those risks more effectively.
So I think that’s the biggest change I see, and I see some organizations already going on that direction, and the results and the response from third parties is being very positive about like, well, let’s have a more coordinated discussion about risk management and not the risk domains in isolation. I think that’s the one change I see, like from when I started doing this and I started on the compliance side of things.
So we created those traditional compliance programs with like background check and the contracts and all that. So I think it was a great work with that back then, but like working in partnership with other risk management functions, I think is a must to be able to address those risks effectively and definitely efficiently, which in times of like budget constraints, it’s a critical need.
Julie DiMauro: On a more granular level, though, is there some technology that can be used, maybe changes to questionnaires that are sent out, inspections of premises, just on a more granular level what can we do to actually make this process a little more effective and efficient at that baseline level?
Denis Jacob: Absolutely. Yeah, technology is definitely something that helps a lot. So like I would say, it’s a tech-enabled process, but you need to have a process first. I think that’s where like some companies are still not there. So they have the technology, but you have one for cyber, one for human rights, one for ABAC (anti-bribery and anti-corruption). They don’t talk to each other. They have different, sometimes just align your timelines, how often you’re asking for information to your third party.
So in having like a tech element that can help to facilitate that process, that’s great. So like everyone’s talking about AI or gen AI or other uses of technology, now I think this is great. I think there’s great opportunities to leverage technology to improve those processes. But first, like is a step back and look, what’s the process? And think about the user experience, because normally, like maybe a self reflection here as a risk management practitioner, we think about our own risk domain or process. But let’s start thinking about our internal clients.
So if you are a user, like if you’re a company, I don’t know, leader, and you need to bring a new third party, how do I make that process more user friendly? So how do I ask those questions in a more plain language?
Because it’s pretty easy to get into very technical questions and the user is like, I really don’t know what you mean by this. So if we can like reframe those processes to be more aligned to the user need, and also then how do we address those risks?
Technology can be a great help. And there’s great possibilities and great products in the market, which I’m very happy to use some of them. But in my own experience, I think having that understanding of your process end to end is critical so you can get the best out of technology.
Julie DiMauro: Absolutely. Do you see your top three or four risk areas moving around or even being replaced by new ones in our new political and regulatory climate?
Denis Jacob: Oh, they move all the time. [Laughter] I think they like every day you have a different one, but I would say the trend there is still pretty relevant. I think the one that’s kind of coming up in the last few years being trade compliance. So for sanctions, but now we have a lot of discussions on tariffs as well.
We’re going to see everything is changing very quickly. So I think that’s where organizations need to be paying attention, to be very aware of the emerging risks that those chains bring in terms of bringing new third parties, how this is going to shift, where your product’s going through, where your product’s coming from.
In healthcare, particularly, there is always a risk of product diversion. So something to be aware of your supply chain and how you serve your clients I would say trade compliance in a broader sense is definitely one that’s becoming more of a topic and based on conversations that have with other industry leaders as well. I see it in organizations paying more attention, but I think it’s connected with the rest.
So basically the understanding of who are your third parties, what’s the need, what’s their role they have in your organization, and how do you get the best out of those relationships. But I would say they go, they flip from time to time. ABAC hasn’t changed much. I see those articles and those metrics of anti-corruption enforcement is very hard to see one that does not involve a third party.
Julie DiMauro: That’s so true. And just back to supply chain, do you see compliance officers engaging with the supply chain procurement teams more often nowadays? Is it the type of thing where supply chain is more of the compliance officers’ remit than it ever was?
Denis Jacob: I think so. I think the pandemic also helped with that because we had a lot of disruption on how supply chains were organized and some countries were more restricted. I think everybody realized, not everybody, but most companies realized that we need to have a different understanding of how we establish resiliency on our supply chains. And that’s where compliance officers are pretty much well prepared because we deal with these kind of situations all the time. And that partnership works really well.
We start talking about risk as this possibility of things not going the way you want it. So we’ve seen not that long ago, like we have to talk about the climate as well, which is another risk that’s emerging. But we’ve seen some supply chain being affected here in the United States because some states were impacted by climate events and we’re seeing some products not being available at hostels.
So that whole understanding of how to manage risk, how to have those contingency plans in place, compliance officers are very well prepared to deal with that. So that relationship with procurement is only improving because we have to manage all those other risk domains. So we’re talking about human rights and forced labor.
That’s another topic that compliance and supply chain and procurement organizations deal a lot. And this goes back all the way to conflict minerals, which is not even a topic that’s new. That’s where that relationship started to form and is just becoming more and more important these days.
Julie DiMauro: Absolutely. And that gives me a nice segue because I do want to do a deeper dive into the specific risks that you have mentioned already. So when we first started talking, you mentioned three and you’ve thrown out a couple of new emerging risks. So going back to those original three, I’m going to put FCPA at the end because there’s just a lot of uncertainty there, but I want to talk about it.
Let’s talk about cybersecurity, Denis. And maybe you can tell us what you have seen in the past several years, why it continues to be so top of mind for organizations and why we can’t get our arms around it. Because it is such an ongoing threat to all businesses, what is it that business leaders like compliance executives can do to build resiliency in this area?
Denis Jacob: Well, I think first in healthcare specifically, our data is super rich. Like that’s critical data. I think there is no dispute about that. And we’ve seen a number of companies being impacted by cyber events recently.
There’s the job politics also at play here. So companies that are not paying attention to this, they’re definitely behind the curve. So I think that that’s the key thing. Actually, now moving into like what companies should be doing, what they should be considering, we need to think about how do we serve our clients today. I’s very different from the past. So, for example, in the medical device sector, when you think about medical device, a few years ago, you would think immediately about hardware.
We’re thinking about like a piece of equipment that will be like a user in a procedure or implanted on a patient. That’s still true in part, but now medical devices move in a lot more into Medtech.
So we have a lot more connected devices, for example. And this a few years ago, actually, like the FDA already started like looking into this and seeing like the risk of connected devices representing vulnerability to the entire supply chain that serves our patients. And we’re seeing like the FDA putting actions and requiring manufacturers to start understanding better, like what’s the risk level of those connected products. And even requiring things that are pretty common on the tech world.
What is like the software bill of materials? What kind of product you have in bad and injured products? How do you plan to maintain how you’re planning to fix those glitches? We’re talking about tracking those assets to understand where they are, where they are connected, what kind of like a network vulnerability they represent. And they’re important for everyone. Of course, the patient is the number one.
So like we need to keep that focus always. But the system as well can always be impacted because if a bad actor has access to one of those connected devices, potentially that person could bring down networks of one, whole healthcare system. And we’ve seen this happening in the past. So like that’s still a risk. And not, I think about a couple of weeks ago, we’ve seen here, like in the US, some news about like backdoors that were identifying certain products and now they’re like requiring like a hospital and other systems to take action to disconnect from the internet.
So it’s super critical. There’s some action being taken place, but I think the understanding what’s the life cycle of your products is still very critical because sometimes you put a product in the market with the latest and greatest technology, but in a few years, maybe that technology is no longer supported, but it’s still there serving patients and healthcare practitioners.
Hospital systems and practitioners, you would need to start thinking a different way about those assets, not as hardware, but like, how do I keep my tech up to date to prevent any kind of intrusion or like to keep the system as a whole safe for any, any possible invasion. So it’s, it’s becoming more and more attack discussion that also has implications on the hardware side of things.
Julie DiMauro: It’s fascinating to think about the medical devices that people are relying on for their own health – and what information those devices are collecting – and the possibly various apps on your phone that are medically related that people use. All of these tech tools are collecting data, and all of it needs to be stored safely, transmitted to the right people with the right set of privileges, etc. There’s so many implications here.
Denis Jacob: There are! If you think about more than a legal side of things, like the basic privacy laws, like how do you guarantee you have the right consent, the right process to store it into dispose of that data. So that’s critical. But I think the devices are going one step ahead.
So like in the past was more like for measurement, let’s say, and now we’re seeing like sometimes medication being dispensed. So when we think about the glucose monitors now they’re connected. So you have also the possibility to have insulin pumps also connected to those devices. I’m fascinated by all this technology.
I really appreciate the advance of medicine and research, but we need to be very careful in how do we manage those risks. So we don’t expose patients to unnecessary risks. But it’s fascinating how it’s evolving from the traditional hardware to a like tech that can really help like a person to have a good life and who have good quality in their life, like even though they may have certain conditions.
Julie DiMauro: Thank you for mentioning that one. I do want to talk about human rights, forced labor. It’s been a concern for a while, but we do have certain laws that companies need to abide by. It’s reputationally damaging and a big risk in that area. Can you talk to us a little bit about that and some trends you’ve seen in that arena?
Denis Jacob: Yeah, we’ve seen like laws being enacted, not only in the United States, but in other countries. We’re seeing more enforcement in that space in different countries around the globe on that topic. Definitely there’s job politics at play here. Like some countries are being more targeted than others. I think we have all that.
But when we look for organizations and I think what are the challenge organizations face is just knowledge of like who they’re dealing with. Because a lot of times we’re talking about two, three, four different levels of like third parties and the companies may or not may have that information available.
So it’s not surprising that we see from time to time like I didn’t know that I wasn’t aware of that. So going back to the basic of the data, your master data, how do you onboard those third parties? What kind of work will be done and who’s doing that work for you?
Our questions that need to be asked at the very beginning of that relationship, even though you may do background check on that organization you’re contracting with. But like how much visibility you have and who’s actually doing the work for you and what kind of risks they may be exposed or even like.
So we’re talking about the basics of know your customer, know your supplier. So before like the typical background check. I think that’s where organizations are becoming more structured. It started a few years ago, like I say, maybe a couple of you.
I think it goes back to conflict minerals again. I think that’s where it started. But like with forced labor laws being enacted in the US and Canada and other parts, we’re seeing companies start looking deeper on that topic and start to report it on that. And even while there’s an interesting topic, which is like, how can you audit that process? Like we’re seeing companies starting to exercise audit rights. Sometimes that process works, sometimes doesn’t work so well.
We see some negative news about audits that were not properly … let’s say maybe there’s some discrepancy in the way that the audits were executed. So it gives a false sense of security. So I think it’s an evolving process and companies are definitely aware of their risk. But it goes back to the basic calendar understanding who you’re contracting for, what kind of work and who is doing that work for you. And there is, as you mentioned, the reputation or risk is too high here for companies just to say, I didn’t know. But you should have known.
I think that that’s the different question. Like and that’s something we’re seeing consumers exercise going beyond healthcare, of course, exercising their rights. And social media is definitely playing a role here. Like today, everybody’s armed with a smartphone with a camera. So companies need to be very mindful about like their brand, their reputation and how they engage with third parties. So just saying ‘it wasn’t me,’ I don’t think that’s an excuse that that would fly.
Julie DiMauro: It’s such a tricky area, though. I’m thinking about the challenges on the business side – you’re dealing in jurisdictions that are far away from your headquarters with manufacturing, distribution, distribution, sales, etc. It’s hard to track all of those important steps and stages and do every element of the due diligence right.
Denis Jacob: True. And I think going back to your previous question, I think that’s where technology can really help because it’s a lot of data. It’s a lot of moving parts like the other thing. And that’s a very practical challenge. Sometimes you contract with the third party for one kind of work and that relationship evolves in one or two years. They’re doing something completely different.
So that ongoing monitoring, that transactional monitoring of that relationship, which is the basic of contract compliance. Are you doing what you’re contracted to do or are you doing something else? So like that’s something that having the proper technology and the proper process in place can really help because then you can focus your human resources in what are the real discrepancies, like because nobody has all the resources to look at everything all the time.
Julie DiMauro: So true. I really want to get into the weeds about anti-corruption and FCPA, the Foreign Corrupt Practices Act, and general monitoring in the environment that we’re in right now.
There’s a lot of uncertainty surrounding the FCPA specifically. Let’s just say the law is still on the books, obviously. You know, it’s not like we have gotten rid of the law. It has a statute of limitations of five years that outlasts any administration. And other countries such as Brazil have their own Foreign Corrupt Practices Act corollary, their own foreign bribery legislation.
There are reasons, right, to abide by this 1977 law, the rules with regard to monitoring bribery and books and records inputs so that there are accurate attestations of your actual transactions.
But enforcement priorities have indeed changed. What would you advise businesses in this area in terms of still maintaining a very strong anti-corruption, anti-bribery posture as a business? You know, do you take the foot off the pedal, or no? Abide still by your policies and procedures. What changes, if any, would you recommend?
Denis Jacob: I would say nothing’s changed. So like we have those discussions among compliance and legal just because that’s what we like doing on our free time about what changed, what hasn’t changed. But with the business, nothing’s changed. Like the law is still there. As you said, like most countries, I don’t know any country where bribing is OK.
So like it’s still illegal everywhere. And the way I like to phrase as well to the business is just bad business. So like we want to do good business and want to say good business, like profitable, sustainable business. We want to have relationships that are based on trust with our partners.
So if we put like in the way I address compliance and that’s my personal preference, like of course, there’s a legal framework that supports all of that. But I try to translate this into business terms because like the business really doesn’t, they don’t want to know if the FCPA has two provisions, one of this, one of that. So they want to know, OK, like what should I think about when I’m doing business with someone?
What are like the operational metrics? What are like the how do I what good looks like on a relationship with a third party? So that that’s kind of like I try to frame this in a way that we’re not going to be discussing enforcement because to be honest, I always thought it was a bit challenging.
Definitely like the announcement doesn’t help. But I think give us an opportunity as compliance officers and compliance practitioners to rethink compliance as a more strategic approach than necessarily legalistic. So like for many years, we’ve been thinking about, well, like we have the law and then we have the sentencing guidelines.
We have all this and you do that. And then that’s very technical. It’s very important, of course. But when you’re talking to a business executive, that’s not how they think. Like they think in a different way. They want to know, like, what could go wrong with this business here? What could disrupt my strategy? And that’s where I think we as compliance people should be thinking about. Let’s work in coordination with the business to advise on the strategy.
OK, if we’re going to expand to another country where we don’t have a presence, like how do we select a new business partner? How do we develop a sustainable relationship from the get go? Like how do we put like rules of engagement? There are beneficial for everyone because like you don’t want to do business for three months. You know what you want to do business in the long run. You want to make good money. Like, look, we’re most companies are for profit. We want to make money.
We want to be profitable. Bribery and corruption. That’s not sustainable in the long run. Like companies will get in trouble either like because the laws are being enforced or not. That’s a whole different discussion. But like the relationship that’s based on something like that in my own experience, they always end up in trouble and cost a lot more money to fix. So the way I’m trying to long story short, like nothing has changed. Like we keep selecting good business partners to do good business with us. We want that relationship to last for many, many years. We want to be profitable.
We want everybody to be happy with that engagement. And the only way to do this is to do business the right way, not only following the law compliant with the law, which is obviously like the minimum, but also doing an ethical manner, which is a much different conversation. So what’s ethics? And we could debate for a couple of hours on that.
But if we have that relationship and that understanding about what’s good business, I think that that resolves the problem. We don’t open space to discuss with people like a more technical side of things. Well, like the enforcement is being suspended for a couple of months. Yeah, like I understand all that. But you have the UK, you have France, you have Brazil, you have all those different countries. There is like even here in the US. You still have the anti-kickback statue. There’s a lot going on. And I would say compliance officers are easier, not less easy.
Julie DiMauro: I love this response. And I love how at the start you said that it gives compliance officers an opportunity to look at it as not just to check the box. We are satisfying the requirements of the law. And that law was created for a reason. Why is it that we care about anti-bribery provisions and policies and procedures? Well, because it actually creates, you know, incentives for ethical behavior, better relationships, accurate books and records.
Again, I don’t see the government suddenly not enforcing fraud statutes because you’re cooking your books and they’re suddenly going to turn a blind eye to that. Right?
Denis Jacob: Exactly right. And the FCP is just part of the puzzle. It’s not the only one. Right. Like Sarbanes-Oxley, we have other SEC rules, like for especially for public companies. There’s a it’s a framework of laws and requirements and regulations that apply to companies like the FCP, I would say is definitely a cornerstone of compliance. And that’s how it started. But like it’s definitely not the only one.
So you mentioned fraud. That’s a super relevant topic. Like that’s what I describe as bad business. It’s not good for anyone. If you have the right controls in place, you have the right books and records in place, you start either preventing or detecting fraud early on. So in a way, we’re still compliant to the FCP. But because it’s just like a efficient way to allocate your money, to use your money and actually to return the investment of your shareholders.
So I think that that’s what I define in a more specific way, what’s good or bad business. So if we’re running the business in an efficient and effective way, we have the proper controls in place. I don’t think anybody would be unhappy with that.
Julie DiMauro: Absolutely. And we had alluded to a couple of emerging risks earlier. You talked about supply chain procurement. What was the other one?
Denis Jacob: Well, definitely the climate. We need to talk about that. So yeah, we’re seeing climate events happening in different parts of the globe. Which could be all the way from a tornado, a hurricane, a snowstorm, fires. So that’s risk. So when I think about risk, I think rest is the broadest term, like because that someone can really disrupt your ability to do business because if your office is on fire, definitely you’re not going to be doing business.
And then if you have all your manufacturing, one location that’s very exposed to hurricanes a couple of times a year, you may be exposed to possible hurricanes and how do you supply your your clients.
So I think that goes back again to the pre pandemic mentality where companies were looking to, OK, let’s centralize some operations. I think about having scale, which makes a lot of sense, but also to diversify now based on different set of risks, either job, political risks, but also climate risks as well. How do we make sure like if one location is impacted by a flood, we’re still operating?
I think that it’s something companies can no longer ignore. And we’re seeing like those thoughts being taken, well, in the bigger context, either if you’re bringing manufactured back to one country or to the other, where do you put them manufactured? How much can you concentrate on that one product?
And even governments are looking into it because if you have a certain critical product for the population only being manufactured in one place and something happens, well, now you have a big problem here, which could be a pharmaceutical product, could be, I don’t know, anything related to serving like the bigger population.
So the climate will change the way we allocate resources, how can we organize their supply chain? And even for their third parties as well, how you qualify them because you may be looking, OK, great, you have good reputation. I did my background check. I understand you have the great capabilities. How prepared are you for a tornado?
So like if that were to happen, if like, I don’t know, if we were to lose power for a couple of days, can you still operate?
Those are basic things. But we see sometimes this happening. Like remember a couple of years ago with the Sandy hurricane here in New York. I remember one actually they had their generator on the top floor, but like their fuel tank on the basement. So which was flooded. So like basic stuff like even how often do you test your plants? What’s your preparedness approach?
I think companies are starting to become more aware and hopefully we can learn with others. We don’t have, we don’t wait to happen with us to start doing that. So let’s prepare. Let’s practice. Let’s exercise our processes and we keep improving. But definitely climate. It’s one that we cannot ignore.
Julie DiMauro: Great point. It all points back to business continuity planning, right? That climate aspect of it is so integral. Natural disasters happen and they can happen to your critical vendor, but also to your critical vendor’s vendors, you know, so that’s again, finding out and having line of sight of who they are.
Denis Jacob: Yes, and also what is critical? I think that’s a big topic. Like in the past, I had a conversation with one company how they organize their critical vendors and they look for the big dollars. So but we had a wonder selling this very small part, like a small rubber part, like it didn’t cost much money. But without that thing, the whole machine wouldn’t work. And because in healthcare, everything needs to be certified, if that company goes down, it’s not that it can bring any company to provide that product.
So you need to go through a whole new certification process to get that new vendor approved. My question, like, do you have a backup one approved? Because if anything happens to them, like pretty much you’re out of the market for a couple of months, you’re going to have backlogs. And like, well, we’re thinking about criticality in a different way.
It’s just like having those discussions and have other people that are sometimes not in the loop, let’s just look at your process and pressure test a little bit. Like, so if you miss that one component that may cost you 10 cents, can you still bring your product to the market?
Julie DiMauro: Absolutely. And in terms of testing your business continuity plan, would you recommend at least annually? How often?
Denis Jacob: I would say annually, I think is a good frequency. Like it depends on what kind of risk and where you are. Like you may do this more or less frequently. And also you can use different components of your BCP that you want to test. So you can kind of rotate certain things, but I think on an annual basis. But my only comment on that would be, be very intentional about your test. Don’t just go through the motions. Really pressure test. Make sure to act this as if it were real, because sometimes people just go through an exercise, a little bit check the box. And then when you go to a real situation, let’s say if we’re talking about access to systems and computers, make sure you really test not only like, well, yeah, I think it’s ready. No, no, no, you need to know it’s ready.
Because like from passwords, from network access and everything, because I’ve seen unfortunately a couple of times in my career, when those programs had to be used, a lot of things doesn’t go according to the plan. That’s life. We’re like, we need to adjust and we adapt as well.
There’s always new circumstances, but I think your plan needs to accommodate to that as well. Because what if because sometimes you have a secondary location, for example, like something happens to our building, we’re going to go to this one across the street. Yeah, but if you have a tornado, the whole neighborhood is gone. Right. Like, so you have to think about what kind of risk you’re exposed to, like if that were to happen, do a simulation like, like use outside companies to pressure tasks, they can do like blue team, red team exercise. So there’s different ways to do it.
But I think companies and shareholders are becoming more interested on the topic because they’re seeing like what kind of disruption and how much that can cost to a company to recover to an event like that.
Julie DiMauro: Great points. Now, I’m thinking of medical devices and I’m thinking of things that keep technology companies awake at night, and one of those things could include introducing artificial intelligence into the business, right? And using it maybe to design products and build it into products that the business is offering.
What are your concerns around AI in terms of the governance and guardrails around it?
Denis Jacob: Well, that’s interesting. AI – I think that’s a fascinating technology, first of all. What I think now sometimes a bit of a challenge is like, is trying to, some people are portraying AI as a solution for everything and sometimes it’s not. So I think I’m old enough to remember the last buzzword used to be data analytics. So like everybody was talking about data analytics and now it’s AI.
And one experience I had in my, one of the previous company that I worked, they really wanted me to develop like data analytics and dashboards. It was like, well, let’s talk about first, what problem we’re trying to solve here. Instead of talking about the solution. And then we had to kind of like take a few steps back and then we agree on the concept. What are, what’s the issue? And then what’s the right solution, which in that case, data analytics helped. I think the same thing with AI. I think AI has so many uses.
And when you think about what are the use cases we’re trying to have AI available for it. And I think that helps with the governance. One very basic thing that AI is exposed to is master data management. So lots of companies, they still struggle to manage their master data. And then if you put AI on top of that, you’re going to put bad data on your AI model. Your aim model is going to be trained on bad data. It’s going to produce bad results. So like for me, that’s one, it’s very simple, very transactional, but a lot of companies still struggle with that.
They’re like, well, we want to have Gen AI, we’re going to have a chat bot, we have an AI agent. I think that’s all awesome. But like you need to focus on the fundamentals. What’s the foundation of your data? Do you have good data? Do you have good processes to train your AI? Because then we hear about bias, we hear about hallucinations. So if you don’t put good data in your model, you’re going to have some very poor results.
And also what kind of controls you put on top of that? Like, what’s the use of AI you’re going to have? What human supervision? That’s what I’m trying to say. Because if you’re going to put a chat bot and that chat bot is going to produce responses that people will rely on, how do you make sure you manage those responses in the way that if there’s anything that goes outside the guardrails, you’re picking that up and you’re not allowing people to do the wrong thing based on wrong advice. So there’s a lot of discussions about creating processes because everybody’s super excited. Everybody wants to do something with AI.
So having first, having a policy about, OKy, how do we adopt AI technologies in your company? I think having a group of people that can look into that and have that discussion, I think it’s important. Just don’t allow people to go there and do whatever. But in communicating, over communicating, I had a company I worked with in the past, now my current company, but they were just like, well, we need to write those reports and we’re using one of those gen AI tools to do that. They’re just putting a lot of confidential information there and getting those reports. I was like, are you allowed to do this? Like, did you check? Like, wow, I didn’t know. Nobody told me if I could or could not. I’m just doing it.
So like being very vocal about what you can, you cannot do. Like some companies now they have their own AI or gen AI tool, which is great. But if you don’t have like, talk to your people, tell them what they can or cannot do, because if you’re silent, they’re going to use it on their personal phone or their computer or whatever. And then you’re going to see your data out there being used to train other models.
So I think that communication piece of the governance is pretty critical. And being very clear about what kind of uses are acceptable. And it’s almost like having a governance model that like you do that, your review, you approve those uses, what partners you can rely on or not, where the data is going to be stored and things like that. So the good news of all AI, I think it’s a technology that the cost tends to go down.
So more and more companies are going to be using that a lot. But I don’t know. I just think it’s a tool. It’s a great tool. What is it to? I think like great human creativity is still like the best solution for everything. And if you have a great tool, you’re going to produce amazing results.
But like, I don’t think it replaces the human creativity. I think it kind of helps you to get some stuff done faster. For example, I may use sometimes like if I need a first version of something, a first draft or like some like basic things, and then I’ll do my own like a review. It’s my work product. I don’t do anything that, well, AI did it. Here we go.
I just push send. Like in my company specific, we have a very robust governance process. I don’t use for anything at the company right now because we don’t have like a previous for those external tools.
Julie DiMauro: Terrific. And I want to ask you a little bit about training. How do you best train your employees about third party risk management, the importance of it, how to actually conduct it, you know, efficiently, effectively, what are you looking for in terms of best training outcomes?
Denis Jacob: Sure. I think you first have to do role-based training. So you cannot train everyone on everything. So people receive a lot of information. Like you can do online training. You can do in-person training if you have the resources. Like what I really try to do when I train people on third party risk management is to move away from the legal framework. That’s for me to know. That’s for the legal department to know if they want to know, of course, I’ll share.
There’s nothing secret there, but I really try to share them what’s practical. So in, let’s say in healthcare is pretty common for companies to use distributors as sales intermediaries. So if I’m talking to the sales organization and they have like, they manage a interact channel, I try to talk about on their regular activities, what they should be looking for. So let’s say you’re selecting a new third party, like, well, first how do you establish the need, what do you need them for?
Like you have a new territory that you have, you don’t have coverage or they have capabilities that you don’t have. So it’s how they frame that, that need and also how they define who is the best partner to work with them. So like, do they have the capabilities? Do they have the people with the knowledge of this kind of product? Do they have like the physical facilities?
Do they have a warehouse? Do they have places because sometimes you may need cold storage and all those kinds of things? Do they have what it takes to deliver that, that service that you’re hiring them for? And then how do you, how do you pay them for that? How do you define compensation? So you know what you need, you know, who’s your partner, how much you’re going to pay for them for that kind of service and how does that compare with other third parties we have, which is basically like the, the, the, the governance around like, uh, discounts, rebates and commissions and all that, that’s some of the business really understands.
But when you talk to them in that language, so this is all sitting on the FCPA language and then all that, like, of course we have process to do background check, but that’s normally how I frame that conversation with them. And every time there’s a deviation on that, like, look, if they’re doing work that was not approved, we need to talk. If they’re asking you for extra money, let’s talk.
If they’re asking you to pay in a different place that was not agreed, let’s talk. So we really go back to like, uh, how do they measure success on their relationship? And then we start like looking at what are those, those, those, uh, ranges that like, if anything deviate, let’s have a conversation. Let’s talk about this. Like, why is your distributor asking you for this? Like, why are you asking them for that? And then like, we may have to go back to the beginning and redesign the contract or the compensation model, see if that still makes sense.
But that’s very operational and, and, and they appreciate more. Like pretty much I try to articulate the red flags in a way that it’s relevant to their work because they see a lot of things and they see a lot more than me. I’m just one they’re out there like dealing with lots of those intermediaries. If they don’t know like, well, this doesn’t look right. Let’s have a conversation that that’s, that’s my goal at the end of a training with sales organization. Like I want them to be able not to articulate the whole thing, but just to smell like there’s something here that looks weird. Let’s talk about that.
If I accomplished that, I’m successful in my job. If anybody calls me, Hey, I had this conversation, this came up. I don’t know if it’s OK or not. That’s perfect. That’s, that’s all that I want from them. Uh, and having that trust relationship that they can feel comfortable coming to me, like, uh, I’m trying to do this. Like, I’m not really sure how to do it.
And then we work together on that strategy. I think that’s, that’s the best way to establish a partnership with the business because it’s good for everyone. Like the company is going to be successful. We’re going to achieve our goals. Uh, and we’re going to manage risk, but not at the very end. We manage risk, uh, how we design that business, how do we manage that business?
And sometimes we terminate the relationships as well. Uh, and that’s where we work together. I seen, I remember many years ago, I was in a panel and people are, wow, we found the red flag. We terminate that contract immediately. It’s like life is a bit more complicated than that in healthcare. Like people in third parties, they joined third party, they joined public tenders. They participated. We have commitments to our patients.
You cannot just go out there terminating contract like that because we have responsibility to serve those patients with, with medical products. We cannot just simply … We’re, we’re not, we’re not selling any kind of product. So there’s a different kind of responsibility and different, uh, a way to do things so we can preserve the patient always. So, but, but long, long response, but like that, that’s, that’s my goal. So if they leave the training, like knowing when to call any day call, that’s great.
Julie DiMauro: In addition to all of the fine points that you mentioned, I love the idea of this role-specific, engaging, immersive type of training and something that I think plays to kind of human nature in terms of throwing them into very realistic scenarios. Also, something that you mentioned is this idea of “I just want these employees to be able to detect when something doesn’t smell and look right and then promptly report that to me.”
Now that has to do with culture so that they feel comfortable doing that or even admitting that they’ve even made a mistake and coming to you sooner rather than later when the mistake is ripened into an actual illegal act. Can you talk a little bit about that, developing that right cultural tone?
Denis Jacob: Absolutely. And I think that’s critical and that’s something that’s changing. It’s getting better. That’s what I’m trying to say. So when this whole, let’s say compliance wave started maybe 20, 15 years ago, it was a very police-like style. And so it didn’t allow for that relationship to happen. It was just like good or bad black and white. And that’s being changed in a way. Like what I try personally to do first is being out there.
Like not only like to provide them training, but sometimes to sit on their own meetings and be a partner with them. And so we can really understand we’re on the same boat here. We’re all trying to accomplish the same things. So, and so then you can start speaking their language. So I’ll give you an example from Adam.
A boss a few years ago, I joined the company in first week. She said, I want you to go out on the field with a sales rep. I’ve never done that before. And then we spend the whole day out there visiting hospitals, meeting with doctors. And that really changed my view of how the business operates. So I keep doing this since then. I think that creates a level of credibility because you’re, you’re spending the time. You’re not there to criticize anyone. You’re just there like to understand, to talk, to develop that relationship, that human relationship that’s so important. You’re not pushing policies and emails and memos and all that. You’re out there. You sit with them.
Sometimes you sit with them at their own means when they’re developing their own strategy and you can contribute with like, maybe, have you considered this? Have you considered that not in a negative way, but collaborate for them to achieve their own goals? And they’re like, well, you’re one of us. Of course you preserve your independence. I have a role to play here. And I’m not somebody that I’ll compromise ever.
You can always work in a more positive and a more, uh, constructive way with them. It doesn’t happen overnight because different people work with different compliance officers. They may have had different experience in the past. So it starts sometimes a little bit like, let me understand. You have to establish very clearly, like there’s a line here. I’m not going to cross, but like, if I can help you to achieve your goals, I’m happy to help.
So you start going out there being intentional, listening to what they’re trying to say. And I always ask, like to ask a question, like every time they come to me, what are you trying to accomplish here? That helps, helps to set the tone. Like, OK, what are you trying to do? Because normally people come to you, I’m like, wow, I’m doing this. I’m doing that. And blah, blah. And they want the question like, can I do this?
That’s always a question. And I always try to step back. What are you trying to accomplish? What’s your goal? And then we start like reconstruct together. What’s the best way? What’s the right way, right way to do it. And I would say most of the time we accomplish what we need. Like there’s always sometimes like, look, no, we cannot do this. That happens from time to time. But like, if you walk through the process with them and you explain to them as well, uh, why that may be a problem, I would say most people try to understand like, uh, we do with adults, we do we’re professionals. So they want it to be treated that way. So if you have that respectful conversation, uh, I think that builds credibility, they know like, uh, that you really work hard to try to get to where they need to go.
But if you say no, it’s a no, I think even to respect the no, I think that’s important, but you need to be available, you need to be out there. You need to be on the field with them. They need to see, they need to know and trust you. And they need to know you’re probably not going to overreact in the moment.
So I think always listen, absorb the information. And of course, sometimes you have to take some action and then you manage that expectation, but you do what you have to do. So trust is key. So people need to trust you, but trust takes a while to develop. It takes a minute to destroy.
Julie DiMauro: So true. Denis, this is fantastic. Just as a final question, I want to turn to your career journey. What has been most rewarding for you and what’s your advice to compliance professionals as they navigate an incredibly challenging and ever-evolving role in their organization?
Denis Jacob: Sure, and going back to what I was just described, I think like the most rewarding thing is to help the business to grow on a, on a compliant and an ethical manner. I’ll give you like a little short story. I remember many, many years ago, they want to bring on a third party that I knew was problematic. There was lots of like a negative media around that third party. That was a note. And we managed like we still accomplished like we, we found, we found another third party.
The business kept growing. Few years later, lots of negative media, that third party, lots of enforcement, lots of friends, like, being involved in that from other companies and the business came back to me. So, well, I remember when we had that conversation, we, you kept us out of that one and so my company, my business was thriving, we’re doing great. And some others were on the news for not so good reasons. So that was a good moment. It was very rewarding when you see their succeeding, doing the right thing. So I think that’s one.
And I think my advice to, to compliance officers in general, like, uh, most compliance officer that I know, they’re pretty good with the knowledge of the laws, the requirements, the regulation, they know to the dots, uh, they know they’re great at that, but know your business.
Like that’s always what I tell like, like listen to the earnings calls, like listen to what your CEO, your CMA CFO are talking. And, uh, at one point in my career, I had a large team reporting to me and I always started all the one-on-ones I had with my team members, my direct reports, asking the same question, how’s your business doing? Are they making the budget? Where are they struggling? Where are they paying points? Like, uh, and if one of them said, I don’t know, say, well, you should know, because if you don’t know what’s impacting your business, you don’t know how those risks are changing.
So really know your business, know what’s going on out there, because the technical knowledge for me is, I’m not going to say it’s a given, but like somebody expect any compliance officer to have to be qualified for the job.
You need to know what are the laws that are applicable and all that. But if you know how your business is doing, and then I think you can really like, uh, be an exceptional compliance officer, really help your organization to succeed and navigate all those changes, all those, there’s always going to be changes, there’s always going to be some, some headaches, uh, and that’s where we can really add value to the organization, help them to navigate and get to the other side, as safe as possible.
Julie DiMauro: Denis, thank you so much for sharing these incredibly useful insights with all of us today. And being on this grip podcast program, I want to thank our listeners for tuning in as ever, please explore our articles and other podcasts at grip.globalrelay.com, and please tell your colleagues about us. We’ll see you back here for another podcast session soon.