Every Organization has missteps in its history. Some stay private, some are embarrassingly not. What distinguishes great organizations, though, is how they learn from their mistakes and those of others.

A lighthearted but effective illustration of this concept can be found in "Compliance Make the Right Call"(video 2012)


  • "So if you are aware of a potential problem affecting safety or quality and you don't speak up, you are a part of the problem. And that is not acceptable. If you see a problem that you don't believe is being handled properly, bring it to the attention of your supervisor. If you still don't believe it's being handled properly, contact me directly." That's part of the tone set by Mary Barra, CEO of General Motors this week while announcing the report of its internal investigation into the ignition switch failures that led to the biggest recall in the company's history. Her words were part of an effort to "personalize" a sense of responsibility at the company and fight against the culture of what Ms. Barra has called "the GM nod" - in which everyone nods in agreement about a proposed plan of action, then leaves the room and does nothing. The rest of her speech and video of it are available here. The 325 page internal investigation report - including a discussion of the "nod" and the "GM salute" (arms crossed, hands pointing outward) is available for download from the site of GM's regulator - the National Highway Traffic Safety Administration (NHTSA) .

  • In his recent speech to Compliance Week attendees, SEC Director of Enforcement Andrew Cernesney spent "a few minutes on compliance programs and compliance officers". He is pro both, not surprisingly, unless the latter " affirmatively participate" in misconduct, "help[] mislead regulators" or "wholly fail" to implement their compliance program. Compliance officers behaving badly have and will face enforcement action - and his speech has examples - although the SEC wants to support the efforts of those that "dilgently, in good faith" and in compliance with the law.
  • "We are going to encrypt - someday" just won't be sufficient to prevent breaches - or penalties afterward. That seems to be the lesson the Office of Civil Rights is making in two recent settlements - totaling $1.9 Million - related to stolen laptops. "Covered entities and business associates must understand that mobile device security is their obligation” was the quote.

  • April 2014 - After the revelations in recent years about payments made on its behalf to foreign official in Mexico and elsewhere (more details in other parts of this wiki), Walmart's compliance effort has been retrenching. Here's their report to shareholders about those activities.

  • April 13, 2014 - "I wouldn't change one thing." That was the message from former Sarasota County ethics coordinator Steve Uebelacker after being summarily fired and escorted from the county's office building. Yes, there's more to this story ....

  • March 27, 2014 - It's been more than 20 years since passage of the Americans with Disabilities Act (ADA). But apparently some businesses still haven't learned that a "no pets" policy can't be used to excluded service animals. Don't let your organization be the next subject of a headline starting "Justice Department files lawsuit..."

  • March 13, 2014 - $1.4M and a 20 year exclusion from the federal healthcare programs - That's what John Arthur Kiely M.D. agreed to pay and accept in order to settle allegations by the Department of Justice that he performed medically unnecessary laser eye surgery procedures on patients for seven years - and then billed Medicare and Medicaid for his "services". The Complaint filed by the government details the billing patterns and associated harm to patients caused by the doctor's actions. Dr. Kiely's payment will also cover liability for claims submitted by the hospital where he performed the procedures.

  • January 31, 2014 - The Federal Trade Commission's settlement with GMR Transcription offers a number of lessons for whose business involves personally identifiable information. Encryption, authentication - even anti-virus software, anyone? GMR will have 20 years to learn its lessons from this one.

  • January 11, 2014 - One consulting firm's efforts to recover from scandal - and the man leading them - are profiled well in "In Scandal's Wake, McKinsey Seek's Culture Shift" (Ragavan)(New York Times which may require registration) Culture shifting isn't work for the faint at heart.


  • December 27, 2013 - "Dermatology practice settles potential HIPAA violations" was the headline of a press release published by the federal Office for Civil Rights (OCR). An unencrypted "thumb drive" containing health information of more than 2,000 patients of the practice had been stolen from an employee's unattended vehicle in October 2011. Although it apparently did not have an appropriate breach notification policy at the time the practice nonetheless did notify affected patients, HHS and the media. It also later developed a policy and trained its employees about its content, but OCR still required a $150,000 payment and a detailed corrective action plan to settle the "potential" liabilities arising from the original disclosure.

Go to the 2013 Missteps Archive


Go to the 2012 Missteps Archive


Go to the 2011 Missteps Archive


Go to the 2010 Missteps Archive

SHARED by Toolbox members:

  • < Click "edit" above and start typing here>

It’s never too late to train – Walmart’s joint venture in India has announced a broad “awareness” program for managers about the Foreign Corrupt Practices Act (FCPA) to be conducted by KPMG and “a team of lawyers.” According to the India Times the program is “meant to familiarise [sic.] all levels of associates with the basics of FCPA and provide a forum for discussion and clearing any doubts or queries.”