Covid-19 has rocked the public and private sectors, sparing no country, market, business, or group. Another casualty may be compliance programs—unless organizations figure out a way to reorient them in light of the challenges highlighted below.
Staffing Shortages. Along with turbulent markets and a public health crisis, organizations also worry about having enough compliance staff. The shortages may get worse as compliance personnel get sick themselves or leave their posts to deal with sick family members. These staffing challenges may impede core compliance responsibilities, such as compliance monitoring, reviews, assessments, reporting, and training.
Relaxation of Controls. The unknowns brought by the pandemic may tempt some organizations to relax compliance controls and relegate these requirements to lower priority in light of the current emergency. Rogue employees may take advantage of this relaxation to circumvent approvals, falsify records, or bypass reviews to expedite results.
Third-Party Compliance. Some organizations may need to suspend or terminate engagements with third parties and replace them with vendors that have not been properly vetted to avoid a disruption in services or to meet consumer demand.
Reopening. Compliance officers may have additional challenges preparing for the reopening of their businesses as governments contemplate lifting pandemic-related workplace restrictions. How do they reintegrate employees into the workplace and implement government reopening requirements while trying to oversee activities for both on-site and remote staff?
Organizations should address these challenges as soon as possible. No one knows when this pandemic will end or whether we will ever return to business as usual. One certainty is that having an effective compliance program is essential to navigating these challenges and preparing for a new normal.
Purpose for Compliance
The U.S. Federal Sentencing Guidelines provide that effective compliance programs help detect and prevent misconduct and guide employees to do the right thing. There’s nothing in these guidelines that suggest compliance should be “sidelined” during challenges like Covid-19. If anything, the guidelines underscore the value and need for a compliance program at all times.
Compliance officers can take steps now to determine if their compliance programs are effective. The Department of Justice’s Evaluation of Corporate Compliance Programs is a good starting point. The guidance, released in 2019, recommends an assessment of compliance programs using three main questions: 1) Is the program well designed? 2) Is the program effectively implemented? 3) Does the program work in practice?
Design, Implementation, Practice
Compliance programs should be assessed and tested periodically so that compliance controls evolve with changes in the organization’s business and risks. A pandemic is a great opportunity for compliance officers to measure their program’s resilience and ability to evolve as necessary. Here are some quick steps to launch this review.
If your compliance program design has not been tested, it’s more than likely static and a “paper” compliance program that doesn’t actually do the job. It’s probably not even implemented, which means it is not being followed or modified when needed. Unfortunately, these types of compliance programs typically lead to potential repercussions for both the organization and individual compliance staff members. This would be a good time for your organization to reassess the design of your compliance program before proceeding to the remaining tenets of the guidance.
If, however, your compliance program is dynamic and responsive to change, you have a great head start, and should consider using these measures to address the two remaining tenets of the DOJ’s guidance—implementation and practice—and help your program remain effective during the pandemic and economic downturn.
Assessment. Compliance officers should determine if their current compliance controls adequately identify and manage new risks posed by the pandemic. Launch a risk assessment, document the results, review them with others, and, where necessary, make the required changes to promptly address any material risks (Covid-19 related scams, for example).
Accountability. Suspension of certain compliance requirements to leverage Covid-19 regulatory relief does not suspend a blanket “zero tolerance” policy for unethical conduct. A compliance program cannot be effective if there are no consequences for unethical conduct. Ask the board or senior executives to issue a message that they will never tolerate noncompliant behavior ever—especially during challenging times like these. Subject to the duration of the pandemic and the downturn, have the board repeat this message to ensure ongoing awareness.
Autonomy. Compliance considerations should be part of both the organizational thought process and management’s decision-making process. For example, decisions involving the reopening of office locations or managing remote operations during the pandemic should require compliance input before implementation.
Tone at the Top. The board and management should clearly and regularly articulate the organization’s commitment to compliance during the crisis. Ask managers at all levels to issue notices and periodic reminders on important compliance policies (e.g., code, insider trading, cybersecurity, privacy, records management).
Values. An organization’s code of conduct represents high-level values—most likely pandemic-proof and requiring no adjustments. It serves as an excellent synopsis of crucial principles that form the foundation for many compliance policies. Distribute the code with a cover note highlighting minimum expectations, instructions for raising ethical and compliance concerns, and the potential consequences of noncompliant behavior.
Training. An effective compliance program includes training to ensure that employees have sufficient knowledge of their responsibilities, especially during uncertain times. Develop a plan to deliver periodic compliance training that: 1) serves as a reminder of important firm policies, 2) covers new or revised policies, and 3) addresses specific issues relevant to the pandemic.
Testing. Periodic testing informs the organization of the health of its compliance program. Compliance officers should check the compliance program, making adjustments to testing protocols as needed. Work around staffing, access, or resource limitations using interim solutions (e.g., questionnaires, virtual interviews, email requests for documentation). Just make sure to flag identified compliance weaknesses for remediation if needed.
Misconduct. Organizations should remain vigilant and responsive to misconduct, no matter what challenges or crises they face. Compliance should remind managers to watch for red flags and to promptly report concerns to the appropriate contacts for handling. Compile any reported information to help identify potential patterns that warrant further review or escalation.
While business and health risks are of primary concern right now, effective compliance programs remain essential to an organization’s success—even more so during a pandemic and economic crisis. Maintaining these programs requires ongoing support and commitment from all levels within the organization, assessments to check their health, training to reinforce and raise awareness, ongoing oversight to monitor compliance, and messaging of ethical values to promote compliance.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.