by Daniel R. Alonso, Tiffany A. Archer, Richard Bistrong, Bruce Karpati, and Katherine A. Lemire

As the pandemic crisis begins its long process of receding, near the top of mind in companies of all sizes is how to thrive, or even survive, with the economy in turmoil. With such pressures, it would be easy for business executives to let compliance issues drop down on their list of priorities. Although good compliance professionals will resist any loosening of the reins, they need to be realistic that their resources will be more limited than in the past. At the same time, compliance issues and breaches could even be worse during the pandemic and its aftermath, in light of, to cite just one example, governments’ relaxing their procurement rules to make emergency relief easier to achieve. And, once the brunt of the crisis is over, businesses will likely see spikes in sales, which could in turn lead to additional issues or breaches.

With all that in mind, the authors came together in late May for a webinar sponsored by the New York City Bar Association. The goal was not just to kick around ideas, but rather to give the more than 150 attendees ten concrete takeaways—issues we thought would be the most salient on which to focus limited resources, and the most fruitful. Following are the ten takeaways and a brief summary of each:

1. Communication

A lack of communication or clarity from leadership during times of crisis might be wrongly interpreted as “do what you need to do.” For that reason, communication is all the more important right now. In particular, if indeed budgets are getting cut or will soon suffer, a remarkably cost-effective technique is to have business leaders, not just compliance leaders, communicate more frequently so that the compliance message does not get lost. Compliance leaders, for their part, need to ensure that they are communicating “up and across” the organization, both to ensure that business leaders keep compliance front of mind and that the workforce gets the message.

At the same time, “tone from the top” is not just about communications, but also about investing resources. If cuts to compliance programs, even in times of crisis, become too extensive, that itself can send a message of compliance “tone deafness” to the staff. Companies should pay heed to the myriad government enforcement actions of recent years that have emphasized the connection between reduced compliance priorities and misconduct in middle management.

2. Need for Renewed Risk Assessments

The risk profile of all organizations has changed, so companies need to conduct renewed risk assessments to evaluate the effectiveness of their compliance programs in light of COVID-19 and the pandemic response. But they will need to decide which areas require prioritization. By renewing their risk assessments in key areas, companies will establish what risks can be deferred as not urgent and what risks need particular attention.

3. Need for Evolving Policies and Procedures

In the same vein, and with the benefit of renewed risk assessments, companies will need some amendment of their policies and procedures to accommodate COVID-19 concerns and restrictions. For example, it will likely be impractical to conduct trainings with the same frequency, but additional communication, as suggested above, may partially fill the void. At the same time, Codes of Conduct will need to be amended to address increased risks due to the pandemic and to measures in place to work through the pandemic (e.g., cybersecurity concerns, discussed below). To the extent some aspects might be relaxed, such as procurement or vendor onboarding, consider keeping or strengthening other aspects, such as third-party due diligence. Although some policies and procedures may be relaxed, companies should take care that the changes not stay in place longer than they need to.

4. Unfreezing the Middle

As important as tone from the top is, employees should of course receive the compliance message from other sources, and in different ways. One of the key ways is training, but if in-person training is reduced, even temporarily, compliance communication will suffer. One technique that successful companies use is to embed “Compliance Liaisons” or “Compliance Ambassadors” within different functions, including commercial teams, to provide in-person support and keep programs and messages fresh. Whether companies choose a formal liaison/ambassador program or not, employees often feel comfortable turning to peers for initial direction and consultation. Compliance and senior management should encourage and facilitate this kind of communication.

5. The Need for Innovation During the “New Normal”

While ensuring that the business functions don’t lose their focus on compliance and ethical decision making, compliance personnel should also focus on the need to innovate in an era where everyone is working from home or in alternative spaces. The compliance program needs to adapt to this new way of working. The use of technology here will be key.

6. Operationalization of Virtual Controls

Similarly, running a compliance program virtually requires controls systems to adapt. The compliance function should facilitate this process, interfacing with other functions like finance, internal audit, and IT to ensure that as little slips through the cracks as possible. Although an economic downturn may not be the time for many companies to make capital investments, they will have to use technology in ways that may not have been anticipated.

7. Addressing Uncertainty, Anxiety, and Stress

Organizations should affirmatively address uncertainty, anxiety, and stress in the workforce to reduce the likelihood of a “me, me, me” mentality, which increases the chances of misconduct and a lack of engagement. Changes in role, responsibility, supervisor, or compensation may well be happening, maybe all at once. It is key for leadership proactively to address these pressure points and uncertainties so they don’t tip ethical decision making in the wrong direction.

8. Not Throwing Away the Playbook

Regulators, enforcers, and prosecutors have been very understanding in their public statements since the pandemic crisis began, and they should be taken at their word. Experience has shown, however, that this sense of crisis will fade during investigations that happen two or three years down the road. And as one of our panelists noted, as understanding as she might be as someone who lived through the crisis, a future regulator might not have the same understanding. The reality is that, in hindsight, government actors will look at how the business and compliance functions handled the current crisis and will question decision making. That is particularly true if the company does not adhere to its existing policies and procedures.

9. Focusing on Cyber, COVID, and Compliance

Compliance with regulations governing cybersecurity has always been crucial, but never more so than in a “work from home era.” The groundbreaking cyber regulations of the New York State Department of Financial Services, for example, have been in effect for more than two years, and regulated entities that have failed in their compliance efforts may find themselves newly vulnerable to cyber attacks as employees log in remotely to company servers. Even unregulated entities should redouble efforts in this area, as it touches all aspects of the company.

10. Crisis Leadership by the Compliance Function

Former Chicago Mayor Rahm Emanuel famously said that you “never want a serious crisis to go to waste.” By any measure, this is a serious crisis, and our panel noted that, for many companies, this could be a way for the compliance function to lead in ways beyond its traditional administration of the compliance program. Examples suggested were business continuity planning, re-entry into the workplace, data privacy, health & safety, and, as noted above, cyber security. Integration of compliance with the business is always a good thing, and this is an opportunity for deeper integration.

Daniel R. Alonso is a partner at Buckley LLP; Tiffany A. Archer is a Regional Ethics & Compliance Officer and Corporate Counsel, Americas & Europe, at Panasonic Avionics Corp.; Richard Bistrong is President of Front-Line Anti-Bribery LLC; Bruce Karpati is Partner and Global Chief Compliance Officer at KKR & Co. Inc.; and Katherine A. Lemire is Executive Deputy Superintendent of the New York State Department of Financial Services.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.