As we navigate an unprecedented global pandemic, the attention of general counsels and chief compliance officers has been naturally turned to managing the immediate crisis before them—perhaps with limited compliance resources. But what comes next?
This article is from FRA's sister company, Compliance Week.
One day—maybe in the not-too-distant future—we will emerge to some semblance of normalcy, a “normal” that will likely be different from the one we left a few months ago. How do we best prepare for this next chapter? In this article, we will discuss six steps to take now to support your compliance program and obligations in order to emerge from this crisis in a stronger position.
1. Conscientiously communicate values
As senior leaders navigate unprecedented economic and operational pressures, it can be easy to overlook compliance and values-based messaging. But now is when employees need to hear it most.
Willis Towers Watson’s latest workplace dignity survey reported that over 90 percent of participating organizations believe “workplace dignity will be important to their success over the next three years.” However, only 65 percent of the employees surveyed felt treated with respect and dignity at their jobs regardless of their roles. This indicates companies need to be more intentional in their messaging, especially now, when the lives of many employees have been upended at work and at home.
Equally as important is the need to remind employees that despite business pressures, senior managers expect their teams to act ethically and not cut corners just to close a deal. Communications from management should underscore the company’s values—and the value of each employee. Actions speak volumes as well, and business objectives should be calibrated with the company’s compliance values in mind. As companies return to normal and seek to regain lost revenue, managers must be vigilant to tailor compensation structures and key performance indicators in line with the company’s values, taking care not to inadvertently incentivize non-compliance.
2. Create a network of compliance ambassadors
Physical travel may be restricted, but that does not mean you cannot make compliance “present” across your organization.
Consider, for example, identifying individuals who are squarely lodged within the company’s business practices and have shown a sensitivity to compliance matters, or who hold gatekeeper roles, and recruit them as compliance ambassadors that can help you embed compliance within the organization. This might require some additional compliance training and focused guidance. Compliance ambassadors will benefit from knowing a network of like-minded business professionals throughout the company, and the company’s overall compliance framework will benefit from these additional compliance-sensitive eyes and ears on the ground.
This network can be particularly helpful in crisis moments: when there’s a strain on main compliance resources, when communication channels are disrupted, when new risks arise, and/or when standard approval processes may be vulnerable to being bypassed. Compliance ambassadors can help embed compliance more deeply in the business, helping to ensure certain important compliance-related activities—like due diligence, for example—are carried out even in crisis times, and that any disruptions to normal workflow vis-à-vis compliance are minimized so that business can flow as smoothly as possible. After crisis, compliance ambassadors can continue to serve as champions of compliance that can be leveraged in creative ways to incentivize and promote company values.
While the current crisis has been disruptive, for many companies it has not been paralyzing. Indeed, a number of firms have been striving to carry on “business as usual,” although perhaps without the safety net of a fully operating compliance program.
It is important to take inventory of business activity that might expose your company to heightened compliance risks—either because of the nature of the transaction or because certain controls may not be fully operational during the crisis. Key transactions to be mindful of might include material sales contracts with government entities, strategic transactions with new partners, charitable contributions, and third-party engagements.
This will, of course, require remaining visible and connected to business partners so that you do not lose your seat at the (virtual) table when strategic decisions are made. If you can, harness the power of your company’s existing data systems to spot and track transactions. Further, create processes to flag these higher risk transactions for ongoing monitoring by compliance or internal audit in the mid- to long-term post-crisis.
While we’ve seen a relative slowdown of anti-corruption enforcement resolutions during the last few months—with courts operating in modified conditions and travel for witness interviews hampered—authorities continue to work on cases and have warned of an uptick in fraud, making continued monitoring particularly important.
4. Take your data and systems pulse—and queue enhancements
Take stock of what is working in your data streams and where there might be compliance-related gaps or weaknesses that could be amplified in crisis moments. For example, does the company have multiple junctures at which manual entries in enterprise resource planning (ERP) systems are needed, and does remote/solitary work mean there are fewer inherent checks on the process? Is information harder to access remotely, and does that provide an opportunity for wrongdoing to go undetected longer, or even perpetuated? Many companies are making improvements in their electronic data systems now; if yours is one of them, consider queuing enhancements that will strengthen the controls environment going forward.
5. Assess risks
An effective compliance program must be designed to mitigate the specific compliance risks facing an organization based on its business and operational profile. This global pandemic—as with any crisis—exposes risks likely not contemplated by compliance programs designed pre-crisis. In just the last couple of months, we have seen companies pivot to new business lines; interact with governments in new ways; begin to import and export new products; and, of course, watch revenue projections decline. Each of those and countless other instances change the risk profile of the business in ways that may or may not be contemplated by your current policies, procedures, or controls.
For the sustainability and effectiveness of your compliance program, it will be critical to conduct bottom-up risk reviews focused specifically on the changes and pressures to your company’s operations caused by this crisis and to assess the effectiveness of your compliance program in mitigating those risks. Were due diligence procedures operational? Were compliance-sensitive transactions successfully reviewed remotely? Were ERP systems operational and accessible without disruption? Were governance and authority matrix authorizations followed and documented in a remote environment? What adjustments should be made based on lessons learned in this experience and in advance of a future a crisis?
It will be equally important to look ahead and evaluate what new risks may be on the horizon. Has your company engaged new third parties? Entered new markets? Developed new products or services that subject it to new regulations? As you pressure test your program, remember to document each step of your review process, from the procedures used to assess risk to the rationale for any changes made to your program.
6. Update your compliance business continuity plan
Your company likely had some sort of a game plan heading into this crisis. That might have worked well, needed modification, or fallen by the wayside. And it may or may not have had a compliance component.
Take time when you can to update the plan—or draw up parts of a new one—to reflect the lessons you’ve learned about how the company operates and what needs to happen in crisis to maintain operations from a compliance perspective. Develop a schedule to continually update the business continuity plan (every 3-6 months may be appropriate for now) so that lessons you learn as the world continues to adjust are incorporated while still fresh.
This crisis period—though disruptive in myriad unanticipated ways—can serve as an opportunity to reflect upon your compliance program both as it operates now and how it can adapt in future uncertain times. As we see the light at the end of the tunnel of this trying time, it is also an opportunity to strengthen your compliance program so that your company is best positioned in the coming months and years. This long-term planning will be helpful—as Robert Dodge, assistant director at the Securities and Exchange Commission’s FCPA Unit, said during an April 23 Webinar, “It will probably take a little bit longer for [corruption] to come to light.”
Alejandra Montenegro Almonte is a member and vice chair of Miller & Chevalier’s International department. Ann Sultan is a member in Miller & Chevalier’s International and White Collar Defense practice areas.