In Unprecedented Times, Something’s Got to Give — But Don’t Let It Be Your Compliance Programme...
By Simon Airey & Joshua Domb
At a time of great difficulty and stress for so many during the current Covid crisis, significant new opportunities are emerging for companies in a number of sectors. In the face of a substantial economic slowdown, governments across the globe have opened their cheque-books and are spending like never before in order to help relieve some of the burdens caused by the pandemic.
Approvals for medical trials, drugs, treatments, technologies and protective clothing that once upon a time took months or even years are now being granted in a fraction of the time. Governments are now more reliant than ever on the private sector to maintain the supply of basic goods and services that we so often take for granted. They are also anxious to relieve suffering, prevent deaths and avoid damaging headlines. For companies that are able to service these new and extraordinary demands, the current crisis presents an unprecedented opportunity to share in that effort—and to reap the rewards.
In spite of these new opportunities, very few companies have been able to avoid the negative consequences of the global lockdown and the change in priorities that the pandemic has caused. Most companies have suffered a significant reduction in turnover and have been under pressure to significantly reduce costs; other companies are burning through cash reserves with no end in sight. Many have lost business and market share in overseas territories. Economists and financiers warn of a prolonged ripple effect and fear a global recession. Other companies are rushing to fill the vacuum and the more unscrupulous are positively seeking to take advantage of the chaos. Hackers, fraudsters and state-sponsored theft of information are all on the increase whilst staff are distracted or depleted.
At a time of such stress, and in circumstances where various governments around the world are stepping in to pay wages of furloughed staff, the temptation to reduce headcount has never been stronger. When determining who should be amongst that population, it may be tempting to think that compliance staff are no different from anyone else. That could be a mistake—and potentially a big one.
Key considerations for companies are the risks that they might face if they excessively cut back their compliance resources or inappropriately adjust their approach to compliance. Where the need to make changes is unavoidable, there are some comparatively easy steps that companies can take to manage key risks by adopting a more tailored approach to aspects of their compliance programme.
The Regulators Fight Back
Regulators, like everyone else, look forward to the day when the current crisis is over.In the meantime, many already anticipate that they will be faced with unprecedented evidence of fraud and unethical business practices. Some of this will be linked to the fact that certain regulators were forced to temporarily loosen their grip in the eye of the coronavirus storm. When that evidence emerges, and when politicians and the public demand a reckoning, companies that engaged in abuse or turned a blind eye can expect to feel the full heat of regulatory enforcement—especially if they have deliberately and improperly profited from the crisis.
Let’s take a hypothetical example in order to explore some of the dangers inherent in the current climate. Our example focuses on the medical devices sector, but the underlying issues and concepts are equally applicable to any company involved in the relief effort. In fact, the scenario also applies to any company in any sector where pressurised staff might be prepared to cut corners or, worse, engage in improper conduct in order to protect the bottom line or take advantage of current circumstances.
A Shift in Focus
Around the world, governments are encouraging manufacturing companies to re-focus their facilities towards the production of ventilators, which are required in the hundreds of thousands. Traditionally, the design process for a piece of machinery of this nature would take many months or even years, after which there would be a stringent process of testing, refinement and approval, before mass production would begin. In the current climate, these requirements have been re-written.
So let us imagine a mid-size pharma-tech company with a proven track record of producing respiratory equipment but which has not previously produced ventilators. When the call for assistance came from the government, the company’s engineers worked ceaselessly for several days to design a new form of ventilator that could be produced quickly and at scale. In record time, the team’s technical specialist wrote a user manual to explain the operation of the new device. The Procurement team secured assistance from a company in China to manufacture key components using 3D printing technology so that the price can be reduced to match that of the leading brand. The Government Relations team sprang into action and secured a virtual meeting with the Department of Health which granted expedited approval of the device.
Shortly thereafter and following a high-level sales meeting with a new government department that has been created to manage the relief effort, a purchase order is received from the government for 10,000 of the newly developed ventilators. Having generated positive headlines, the company starts to receive enquiries from hospitals and health departments around the world.
The Danger of Shortcuts
An instant success story: a burgeoning order book, great PR, global branding, staff recalled from furlough, increased profits, and new entry points to markets overseas.
But what if the device doesn’t work in the way that the company has represented? What if, because of tiredness or a desire to get in the door before the opposition, one or two small shortcuts were taken or the technical specialist who wrote the manual slightly mis-described one or more relevant functions? What if the company genuinely believed that the machine would be perfectly fit for use, even though they suspected it might not work exactly as described? What if, without meeting this specific requirement, the specialist writing the manual knew that approval was not likely to be received for another week or so, by which time the opposition may have already beaten our hypothetical company to the punch? What if the price of the device was fixed not on the basis of the cost of the components, but deliberately so as not to undercut the leading brand and put them out of business?
Imagine if, two years down the line whilst reviewing the accounts, the company auditors query a small consultancy fee that has been paid out to a firm on whom due diligence was either rushed, or not completed - a consultancy firm that the company had never heard of before, and which the auditors can find no trace of online. A consultancy company which it later transpires had been set up in an offshore jurisdiction just a few days before approval was received, with unknown beneficial owners. What if an industry publication queries how the company managed to obtain import approval for the components from China so quickly and a competitor is making noises about possible collusion with the market leader and the pricing of the product?
And what if the slight technical deficiency that was not accurately described in the manual results in a small number of deaths amongst the population of patients who used that device, in circumstances where those deaths could have been avoided if the ventilator worked as described?
These events may be completely unconnected, and there may be no substance to the rumours or the concerns. However, they are highly likely to lead to a governmental investigation, possibly by several agencies at the same time, both at home and overseas.
However, if it transpires that there is some substance to the allegations, imagine the fury and fever with which government - suffering from the incredible sums that it has spent in the relief effort - would investigate that company. The company’s new profits would be wiped out very quickly, along with its reputation and future prospects—and those of key staff and its Board. The company may not even survive the inevitable backlash from politicians, the public and the press. What started as an instant success story has now turned into a perfect storm.
Navigating New Opportunities Safely
This case study is hypothetical but far from implausible. At a time of such incredible opportunity, what if that company had taken a little more time to check the design of the new ventilator and the description in the technical manual? What if they had ensured more thorough oversight of the Government Relations and Sales teams? What if they had made sure that the Procurement team had more thoroughly checked the contracts that the company rushed to win and then service? What if, amongst all the chaos and uncertainty, senior management had really taken the time to stress the importance of the company’s compliance policies and procedures, to help keep minds focused?
A Flexible Approach to Compliance and ‘Quick Wins’
It is, of course, inevitable in the current situation that, with the best of intentions and in a bid to save lives, shortcuts will be taken and usual compliance policies and procedures may be overlooked, side-lined or fast tracked. In some cases, this may be justified. However, when these processes are abandoned altogether, when key compliance staff are furloughed, or when there is no good reason for a lighter-touch approach, companies are more likely to find themselves exposed to difficulties further down the line.
One sure-fire way that companies can protect themselves in this situation is to treat compliance as a key deliverable, even when there appear to be far greater priorities. Another is to work with compliance staff, or external counsel, to identify key risks and priorities and to allocate resources accordingly. A primary objective should be to ensure that contemporaneous advice, oversight and independent scrutiny are both received and recorded as having been received. Any change in approach, assessment of risk or allocation of resource should be justified and documented.
Whilst the specific advice that will be given to each company will of course be tailored to individual circumstances, the following list of suggestions might be helpful in the meantime.
Ensure that senior management continues to lead from a compliance perspective, with an appropriate ‘tone from the top’. Senior management must be seen throughout the business to be re-emphasising the importance of compliance with relevant policies, procedures and controls. This message should be reinforced at the local level by middle management, particularly managers of higher risk teams.
Avoid the temptation to disproportionately cut back compliance resourcing. This may help to demonstrate to regulators that you did not abandon your compliance responsibilities in favour of the bottom line.
If you are going to deviate from normal policies and procedures, ensure that contemporaneous notes are made (and preferably agreed with the benefit of an independent set of eyes) explaining (i) the rationale for departing from the normal operating procedure and (ii) the compliance steps that have been taken in their place.
Where short-form or amended approaches are taken, review and test the outcomes by reference to your standard policies and processes when time and resourcing allows. For instance, if, when on-boarding a new supplier whose assistance is needed on an urgent basis, a partial rather than full background check is done, conduct more comprehensive due diligence as soon as possible thereafter.
Ensure tight control over all expenditure; avoid situations where any single or key individual has unscrutinised access to bank accounts or the ability to make or sign off payments.
Don’t allow normal due diligence processes in relation to high risk third parties (such as sales agents or intermediaries offering access to government officials) to be side-lined in a bid to engage unknown third parties quickly.
If resources are stretched, consider temporary dispensations in relation to lower risk activities, territories or counterparties (but beware the risk of abuse if the change in approach becomes common knowledge); avoid the temptation to abate processes where the most risk resides and that require an associated amount of effort to mitigate.
Ensure that you include recordkeeping requirements and external audit rights in contracts with any new third parties where those third parties may present a higher risk from a compliance perspective.
Refresh compliance training for higher-risk staff and third-parties; convert training modules to live video format for maximum impact and engagement and to reach remote populations. Ensure that under-utilised staff catch up on any online or pre-recorded training modules that have previously been missed.
Ensure that individuals in key decision-making roles have the freedom and resources to engage with external legal counsel for advice and support where necessary. Ensure that notes are made and retained about the nature and extent of any advice that has been sought or received.
Remind key staff that the short-term need to protect the business or the bottom line, or to seize new opportunities, should not be at any cost.
Remember that regulators understand the challenges of the current working environment and acknowledge that, in many instances, companies are entitled to take a proportionate and risk-based approach to compliance. However, don’t treat this as a ‘get out of jail card’.
When the Dust Settles
When things begin to return to normal, regulators will inevitably be looking for low-hanging fruit and big headlines. But they won’t be inactive in the meantime and they certainly won’t be deterred by the difficult cases or the problems often associated with multi-disciplinary investigations involving several regulators and agencies from overseas. Indeed, recent enforcement cases show that regulators around the world are working more closely together than ever before.
This means that companies that cannot easily demonstrate that they had in place adequate procedures designed to address relevant risks will be an easy target. Whilst some of the suggestions above might seem like unnecessary additions to a company’s workload at what is already a difficult time, several of them may represent quick wins and provide temporary solutions at a time when compliance resources are unusually stretched or matters need to be expedited. Mitigating actions such as those suggested above may also help persuade an overzealous regulator that, whatever may have happened as the result of the company taking its eye off the ball a little, or even because of a rogue employee or sales agent, there is no easy route to prosecution against that company or that more worthy targets exist elsewhere.
The current difficulties will, of course, pass and life will eventually get back to normal. Those same difficulties have also created immense opportunities for companies that are agile and creative enough. In seeking to capitalise on those opportunities, companies are well advised to maintain discipline and a careful, if adapted, focus on their compliance programme.