The strains of moving to a remote workforce in response to the COVID-19 crisis along with massive sourcing shifts and other operational changes have companies across the world scrambling to adjust to our new reality. As a result of this disarray, the compliance controls that have been carefully developed to protect companies from criminal, regulatory and reputational risks are in jeopardy. Employees are scattered, disconnected and putting out fires all around them. Oversight and approval processes relying on regular, in-person contact and hardcopy documents have broken down. Personnel filling gatekeeper functions may be disconnected and unfocused while adjusting to remote work and overwhelmed by professional and personal stressors. The economic downturn has caused massive layoffs, removing employees in key positions and necessitating rapid shifts in resources and responsibilities. Companies cannot trust that the controls of yesterday continue to function today.
In this new normal, companies must re-underwrite their compliance programs to adapt to a remote workforce as well as many other operational and personnel shifts that have occurred as a result of this pandemic. But where to begin? As a threshold step to ensuring continuity in your compliance program, we suggest making communication your first priority.
Even in the best of times, open lines of communication – up, down and across reporting lines – are a crucial component of a robust compliance program. Unfortunately, while this crisis presents unprecedented hurdles to implementing compliance procedures, it also presents heightened risk of all manner of misconduct and missteps. Now more than ever it will be important to actively nurture lines of communication between compliance, senior management and key personnel to ensure that you are aware of changes that require adaptation of your controls and that your compliance program continues to protect the company against legal and reputational risks, even as your day-to-day operations change dramatically.
Below are three critical lines of communication compliance departments should consider opening today to identify and avert crisis-driven compliance gaps:
1. Senior Management
It is well-established that the “Tone from the Top” is one of the most important factors in the development of an effective compliance program. While senior management may have set an expectation of ethical and responsible business in normal times, we are living in new world. Employees may be disconnected and distracted and the opportunities for effective oversight have been significantly curtailed. The company may be all hands-on-deck focusing on addressing market disruptions. Personnel could get the impression that anything that is not directly related to managing the crisis should take a backseat for the time being. With their focus diverted, personnel may lose track of the critical compliance controls that protect your company from serious criminal, regulatory and reputational damage. To ensure that the controls your company has developed and your commitment to compliance continue apace, personnel should receive an explicit reminder that your company’s compliance expectations are unwavering.
Reach out to senior management and ensure that the appropriate party (typically, the CEO/President) communicates to personnel that your compliance expectations have not changed and, in fact, that risks may be heightened in this current climate. This communication should also emphasize that if compliance procedures need to be modified to address current working arrangements, personnel should consult with compliance to develop suitable alternative processes to maintain compliance with applicable laws, rules and regulations and preserve the company’s reputation as an ethical and responsible business.
Compliance should also continue reporting to the General Counsel, Board, Audit Committee, etc. on the status of the compliance program. This may be challenging given the many pressing matters that senior management is juggling and the fact that the systems that previously facilitated reporting may no longer be available. But now is not the time to put this crucial safeguard on the backburner, as failures in this regard may be viewed by regulators in hindsight as wavering in the company’s commitment to compliance or, worse, an attempt to avoid oversight in the face of known deficiencies. Compliance departments should check-in with senior management to ensure that there is no lapse in reporting and work out any alternative procedures or logistical hurdles that may be necessary to facilitate continued reporting to senior management and the Board.
2. Key Control Functions
Key controls functions like finance, procurement and audit are gatekeepers in a compliance program. They fill a critical role in identifying red flags and ensuring that transactions are not processed and relationships do not move forward without the diligence and approvals required by the compliance program as well as monitoring the program’s effectiveness.
However, many of the employees filling these roles are not accustomed to working remotely. Their work flow and the processes they have developed to ensure a consistent approach to vetting, approving and monitoring may not be adapted to remote working. Furthermore, like all personnel, they are currently working in an environment of unusually high stress due to the impact of the pandemic – both from a personal and a professional perspective.
Given the critical nature of the roles they play in your compliance program, it is important to reach out to these functions to emphasize the need to maintain established compliance processes and solicit a dialogue regarding any procedures or timelines that may need to be adapted to the current working environment. The goals of this outreach should be two-fold: (1) confirm that compliance remains a priority for the company; and (2) identify and work with them to fill compliance gaps that have been created due to new working arrangements, loss of personnel they once relied on or other operation changes. As noted in our prior Compliance in Focus article – Strategies for Mitigating Supply Chain Risks – we would also recommend soliciting feedback from these functions regarding potential issues that may implicate your compliance procedures going forward, such as supply chain changes necessitating urgent vetting and onboarding of new vendors.
3. Middle Management
Compliance departments should also check-in with regional and business line leaders and anyone else with approval authority over transactions, expenses or business relationships that raise compliance risks for the company. These people play an indispensable role in the compliance process: they are the eyes and ears of compliance in the trenches of the business. Yet, they are likely no longer working with those who report to them in quite the same way. And, while these people may be more accustomed to remote working, they may have relied on resources that are no longer available to them to fulfill their oversight obligations, such as in person check-ins, printing and delivering hardcopy expense approvals or tasking junior personnel or administrative assistants with completing initial drafts of diligence forms.
It is particularly important with respect to this group to re-underwrite the compliance program both by ensuring that compliance is not left behind in favor of focusing on urgent, crisis-driven issues and also by working with them to identify potential gaps or new issues that may require adaptation of current procedures. Compliance should emphasize the key role these employees play in protecting the company and open a dialogue as to any hurdles they are facing in fulfilling their oversight responsibilities. To the extent that oversight challenges are identified, Compliance and the business should think creatively and collaboratively about ways to effectively adjust compliance procedures to these strange times we are living in. If your company has experienced layoffs, this will be the opportunity to identify gaps that have been created in oversight and approvals as a result of lost personnel.
It bears noting that opening these lines of communication is only the first step. As with any compliance process, ongoing monitoring is key to effective implementation. Setting a calendar reminder to check-in at regular intervals with each of these constituencies will keep compliance in the loop as to changes that may need to be addressed and keep compliance top of mind. The world is changing rapidly and companies are changing with it, in ways large and small. A prudent person will take nothing as given in the current environment. Taking extra care to maintain open lines of communication will be critical to navigating your compliance program through this crisis. And, if an allegation of potential misconduct comes to light years from now, your record of compliance communication will be a valuable asset in demonstrating the company’s unwavering commitment to compliance.