Managing compliance through the changes of 2020
For those working in the compliance industry, 2020 will be remembered as a year of many changes. In addition to the COVID-19 pandemic faced universally, two important guidance paper updates were also released by the United States Department of Justice (DOJ).
In June came the updated Evaluation of Corporate Compliance Programs (the “Evaluation”), swiftly followed by an updated version of the Foreign Corrupt Practices Act Resource Guide in July, underscoring the DOJ’s continued expectations on organisational compliance efforts.
Amid the pandemic, risk may be at an all-time high, with companies struggling due to supply chain challenges, budget cuts, closed borders, decreased purchasing power and losses in revenue. In this article, we discuss how compliance and business leaders can leverage the key recommendations from the updated Evaluation to effectively manage this heightened level of risk.
Evolve and adapt
Managing risk could be significantly different going forward. The DOJ recognises this, stating in its updated Evaluation that a company should be assessed ‘both at the time of the offense and at the time of the charging decision and resolution’, and that ‘external factors’ that might affect operations should be considered.
Business leaders should be prepared to evolve facets of their compliance programmes and business processes to deal with the impact of COVID-19. For example, supply chains and channel sales partners may be feeling additional pressure to rapidly source raw materials, increase manufacturing capacity and sell more products – especially in the life sciences, retail and manufacturing industries. This means organisations must have second- or third-tier partners or be able to quickly scale due diligence operations to screen and bring on new partners.
When it comes to training, e-learning will become essential and likely the only option. Companies should ensure their courses are updated to contain information relevant to the current circumstances, with greater focus on data privacy, health and safety, social justice and anti-bribery.
Weigh multiple options for due diligence
The DOJ Evaluation highlights the importance of managing third party risk, stating that ‘[a] company’s third-party management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business’.
Compliance practitioners already understand the value of background checks and due diligence, but they should now consider leveraging multiple options based on the unique challenges in the current environment. In some countries, obtaining registry records could take longer and may need to be supplemented with online research. With physical locations either limited or shutdown, site visits may not be realistic, and will need to be substituted with reputational inquiries instead. Onboarding times may be compressed due to business pressure, so expediting work or considering faster options such as online research and database screening may be necessary.
In addition to upfront due diligence and background checks, companies should consider ongoing monitoring to stabilise supply chains and avoid turnover. The DOJ Evaluation echoes the need for monitoring by stating that assessments should cover more than just a ‘snapshot’ in time. Many organisations are now subjecting all high-risk partners to discreet ongoing monitoring against their database platforms, receiving daily updates on any changes in status and leveraging the findings to guide future decisions.
Assess before you stress
Changing times call for updates to your risk assessments. The Evaluation states that prosecutors evaluate the ‘effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment’. In addition, assessments should be periodically updated.
The spread of COVID-19 is certainly grounds for updating the risk assessment to account for changes in:
- supply chains and channel programmes
- geographies where certain activities can be carried out
- due diligence requirements
- the presence of new or heightened risks.
For example, with supply chains and channel programmes, organisations may need to expand volume and partner types (depending on industry) based on customer demand or changes in the geopolitical environment. The risk assessment should help guide the business on what scopes of diligence are required for these new third parties. The compliance team will also need to provide guidance on the shipment or receipt of goods, services and materials from countries or territories where the business does not normally work or have a presence.
Business leaders should also document how losses in staff (especially within compliance) could affect risk coverage, and what can be done to maintain oversight, including expanding responsibilities of existing resources, training up junior resources, or outsourcing compliance functions to a qualified vendor. Since ‘resourcing and autonomy’ is one of the key areas of the DOJ’s evaluation criteria, organisations should pay close attention to how their teams are staffed despite budget cuts and losses in revenue.
Risk assessments should also be updated to cover new or heightened risks to the organisation. The DOJ Guidance states that ‘prosecutors should consider whether the company has analysed and addressed the varying risks presented’, and sets out a variety of factors that are typically considered. In the current climate, data privacy and information security may become more critical given the large number of employees working from home, widespread job losses, and former employees and vendors that may have access to company systems.
In addition, the current climate has emphasised new topics that merit the attention of compliance professionals, including corporate social responsibility and social justice. Now is the time to partner with key stakeholders in the organisation to help promote the importance of these topics and put them into effect – including building more diversity into the employee base and choosing suppliers that espouse similar values.
Keep messaging simple
The Evaluation highlights the importance of continued communication of the compliance programme and organisational values, indicating that prosecutors will ask, ‘What has senior management done to let employees know the company’s position concerning misconduct?’.
Due to the constant cycle of negative news, rising unemployment and loss of loved ones, employees may not have compliance at the front of their minds. Messaging on compliance topics should be kept simple and to the point. To do this, some business leaders are weaving compliance concepts into virtual town halls, creating shortened versions of policies, moving up dates for annual online training, or doing more frequent mini meetings as refreshers on integrity.
Data is the new oil
Compliance officers need to leverage data effectively to monitor key programme areas. The DOJ agrees, stating in its Evaluation that employees should ‘have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions’.
In practical terms, data can be used to manage risk by:
- identifying which third parties require renewal based on expiration of onboarding cycles
- scanning systems to ensure all in-scope third parties go through due diligence
- subjecting all third parties to monitoring and managing alerts
- running data analytics on transactions to identify high-risk exchanges
- reviewing employee completion, scoring and passage rates for online compliance training.
While these suggestions sound great in theory, the key is to ensure at least one major data-driven initiative is established at least every year or two.
In the past, many organisations successfully used technology platforms to onboard third parties, yet did not enter key dates related to onboarding and renewal. By ensuring these dates are inputted at the time of onboarding, companies can easily scan their third-party data to check which parties require renewals and avoid retaining parties with newly discovered issues.
For most organisations, interactions with government officials for legitimate reasons may become harder to track, as these communications can be done in private by employees working remotely. To ensure that transfers of value are legitimate, companies can use data analytics to review transactions exceeding certain value limits or involving certain topics.
The last word
While there is no roadmap for managing risk in such a difficult period, business leaders and compliance professionals should view this time as an opportunity to prepare their organisations for the future. Due to consumer demand, government mandates and changes in societal values, business leaders may have more buy-in than ever to launch initiatives and improvements to compliance and business processes. The organisations that stay active, cognisant and aware will see the greatest success going forward.