All Eyes on Me: Practical Tips for Anti-Corruption Compliance In and After a Time of Crisis
Compliance officers, in-house counsel, and other corporate gatekeepers know that even when the economy is booming, implementing a robust global anti-corruption compliance program is an expensive and complex proposition. When facing a global pandemic and grim economic forecasts, that proposition becomes even more daunting. Commentators and law firms—including
If you are an in-house compliance or legal officer, or in a gatekeeper role with compliance responsibilities (for brevity, referred to generically as “Compliance” in this article), you may feel that all eyes are on you, particularly in this time of crisis. Business leaders want to know whether Compliance is going to be a trusted advisor and partner in navigating these uncertain times or just another bureaucratic headache. And more than ever, employees are looking for guidance to understand expectations and to make sense of conflicting priorities. As the list of expectations seems to grow, the days—and in many cases, budgets and resources—are shrinking.
To complicate matters further, while many locations or aspects of your business may remain in peak crisis mode, others have begun or will soon begin to push toward reopening and returning to “normal.” There are no easy fixes, but here are some questions to ask and tips to consider as you navigate the path forward:
The best laid plans: You may already have been asked to cut staff and/or budget. Even if your resources remain intact, travel and in-person meetings are negligible or non-existent. Taking some time now to reconsider your annual strategic plans, find alternative means to achieve goals that you deem imperative, identify new priorities, and deprioritize less critical items can be time well spent.
Strategies adapt: Is your compliance annual strategic plan still fit for purpose?
Communications resonate: Does your internal communication plan still make sense, thematically and amid other COVID-19-specific communications? Consider whether your message may be lost in other “noise” or may need to be restructured to be sensitive to the concerns of employees.
Hone in: Do some topics no longer have the same priority they did before? Some contenders are obvious (like events, travel), but reviewing the list with “fresh, crisis eyes” may identify other topics to delay, groups to add, and vice versa.
The right audience: Have different teams taken on roles or interactions that warrant additional or different trainings or reminders? Consider whether the original audience is still the right audience when launching training and communications.
An attentive audience: Will the core message reach the target audience right now, using this format? If your company is thriving and employees are essentially a captive audience, this may be the ideal time to launch an online training program. Conversely, if head count has been reduced and the remaining employees are over-taxed and stressed, you might not want to launch a complicated online course. Instead, consider focusing on short communications that remind employees of the most critical compliance risks facing your company today as well as resources to get help.
Culture matters: Compliance officers know that no matter how stylish their intranet portals or the sophistication of their online training modules, the foundation of a strong compliance program is a baseline, unwavering commitment to ethics and integrity. Ensuring that such a message is clearly communicated to all is even more critical in these uncertain times.
Tone at the top: What has leadership done to impart and reiterate the importance of an ethical culture, compliance, and transparency? Regular approaches or formats for messaging may not resonate in the face of new, competing priorities, altered realities, or in new working environments.
Gatekeepers at the top: Does Compliance have a seat at the right tables? A lot of companies are making critical decisions right now, ranging from cutting operations and staff to opening new business lines or acquiring new entities or assets. These types of decisions frequently happen quickly, so Compliance needs to have a seat at the table as early as possible in the decision-making process. You will be better positioned to identify and address potential compliance risks if you have advance warning, and it presents an opportunity for Compliance to engage as a trusted business advisor.
Moving gates, switching gatekeepers: Have the Compliance gatekeepers been affected by remote working or changed roles? Can they still serve as effective gatekeepers? Are there other risks that require gatekeepers? Changes in their work environment warrant consideration. But this may be a relatively minor issue if the risks gatekeepers used to monitor no longer exist, or if other, new “gates” posing risk have opened that require their own gatekeepers, as discussed below.
Trust but verify: What evidence do you have to show your company’s answers to these questions and implementation? How can you demonstrate the efficacy of the new or changed approaches? As you progress through this crisis, ensure that your team and others in the company are retaining records evidencing compliance-related efforts and focus during this time (e.g., copies of compliance-related communications). Additionally, as time and resources permit, verify that new strategies or approaches are effective in achieving their goals (e.g., that the recipients of those communications understood and integrated the key messages).
Tone at the middle: Are you confident that your company’s culture of compliance—across middle management—is strong and secure? Are you confident that managers are projecting the right commitment to compliance across your organization? When assessing tone at the top during this crisis period, take a similar look at the actions and attitude of middle management.
Risks change: Has your company’s risk profile fundamentally changed, or has the crisis precipitated risks that you’d previously assessed to materialize? Document and assess shifting risks as best you can. Conducting a full COSO-based risk assessment may be impractical during the crisis, but documenting new or materialized risks may prove helpful after the fact, particularly when they change frequently and the old reality may be difficult to recall with clarity.
New business lines or operations: Distillers are making hand sanitizers, and auto manufacturers are shifting to medical devices. Responding to the pandemic has caused many companies to take on operations that are new and distinct from their core businesses, which are likely to alter risk profiles in fundamental ways and pose entirely new or different compliance risks.
Elimination of business lines: Other companies are closing offices or suspending certain business lines. Shutting down core operations, functions, or teams may alter risks, as well as reduce related compliance resource needs. Documenting the reductions and their impact becomes all the more important when reallocating compliance budgets, teams, or plans and explaining those changes in hindsight.
Third parties: Disruptions to entire industries, classes of businesses, and large parts of many supply chains may mean that old partners and established ways of working no longer exist or operate consistent with your company’s expectations. Moving forward with their functional replacements can pose other challenges and risks, particularly if they are new or recently established or taking on high-risk roles or interactions.
Government mandates or bailouts: When mandating production or expropriating sites for crisis response, the government’s direct intervention in private business poses risks in ways many companies would not have considered in normal circumstances. On the other hand, many companies never contemplated aspects of government bailout packages, much less the related compliance risks. How have the related risks been mitigated and incorporated into the compliance program? Have the teams handling those interactions and processes had appropriate training?
Reasoned response to new or changed risks: Documenting the company’s assessment of risk and the response and rationale behind choosing Terrible Option A versus Horrible Option B will not only be helpful for posterity and in subsequent compliance planning, but can also facilitate communicating effectively to teams and stakeholders working in remote environments.
Documented support for decisions: Where the laws, regulations, or guidance are shifting as frequently as the crisis itself, seeking more formal, written guidance and legal analysis around critical issues may become more of a priority than during business as usual or than envisioned in original compliance planning.
Knowing whom to call when: Are information transfers—to employees from Compliance and vice versa—still flowing smoothly? Both in a crisis and when significant changes are made to a business’s organization or activities, knowing whom to call is critical to employees. The same is true for Compliance, as having eyes and ears on the ground to detect issues becomes even more critical during crisis mode.
Compliance questions: Many companies have well-established systems for employees to contact gatekeeper teams for day-to-day guidance and answers to questions. However, with possible changes in personnel or responsibilities combined with a change to remote operations, reminding employees of these gatekeepers and communicating their modified contact information can help ensure this key safeguard continues to function effectively.
Reporting channels: Both in a crisis and when adding to or changing the business, having eyes and ears on the ground to detect issues becomes even more critical. Verify that your reporting channels and hotlines are working everywhere as they should be, and consider sending internal communications reminding the organization—and new or different teams, in particular—about those channels.
Exit interviews: Leverage exit interviews of departing employees both as a supplement to other reporting channels and hotlines, and to preserve institutional knowledge around specific compliance risks or red flags particular to departing employees’ roles.
Investigations: Do certain types of investigations no longer have the same urgency they once did or, conversely, take on a higher priority? While each individual investigation may warrant different approaches, programmatic aspects like triage, prioritization, and investigative methods may require broader tweaks. If courts or regulators are closed, or timeframes and deadlines are tolled, related investigations may have lower priority, whereas crisis-related enforcement or perception risks might move other investigations to the top of the queue.
Using the weapons already in your arsenal: Do you have technology at your disposal that can support monitoring goals at a time when teams cannot travel? If your company already has invested in technology, consider whether you can further leverage that capability to achieve monitoring goals, especially when Compliance is not able to travel or to meet with operational teams in person. Monitoring spend, budget over-runs, frequency of particular activities, and other indicators may be helpful to identify potential violations or hot spots.
Finding the “new normal”: What will your company and Compliance organization look like in the near future? While some places have yet to reach peak crisis mode, others are beginning or may soon begin to reopen. Pushing to return to normalcy may itself involve risks or aggravating forces that are distinct from the crisis itself and reverting to prior frameworks may not make sense or may not be an option at all. Exercise appropriate skepticism toward forcing the new normal and changed realities into the old ways of doing things purely for convenience or from habit.
Pausing to consider the questions above during a period of crisis and upheaval can be an important step in ensuring your compliance program’s effectiveness and continued momentum, at a time when all eyes are—or may soon be—on Compliance. These questions also are worth revisiting periodically and especially when moving toward the “new normal” as answers may change. Regardless of how your company emerges from this period, this type of self-reflection facilitates digesting lessons learned from this period and identifying opportunities for enhancement of Compliance operations in the future.