COVID-19 has changed so many things about our lives, both personally and professionally. Many of us are acclimating to a new normal of remote work and virtual meetings amongst competing priorities like family and finances. One thing that it hasn’t changed, is the importance of doing the right thing.
As our work landscape evolves, so have the compliance risks and exposures that may have been a mere blip on the radar two short months ago. While there is an array of helpful information about managing the present crisis, we must also look ahead to the tail of the curve and plan for when businesses re-open and we’re face to face once again.
Performance pressure, in these uncertain economic times, is higher than ever and while we may be taking a collective pause, the ramp up on the other side is only going to be more extreme. The goal is to actively prepare for and manage that change, rather than being led reactively by it.
Now is the time to acknowledge that the compliance risk assessment you’ve been relying on has likely changed in light of increased remote work, changes to business processes, and changes to state specific health and safety requirements. Whether you have a formalized compliance risk assessment/framework, or your process is more ad-hoc, you'll need to re-evaluate.
Think about this as a pre-COVID versus post-COVID exercise. Here’s three tips to get you started:
1) Partner with your risk area owners and business leaders:
Start the process by setting up time to speak with each risk area owner about what’s changed.
Many of us work in decentralized environments where company stakeholders outside of the compliance department own specific risk areas. These business owners are instrumental because they live and breathe the business - and they’ll be the ones to understand what’s changed, what will be expected of the business next, and any emerging risks associated with those changes. Being in lock step with the new goals the businesses are trying to achieve is the first step in developing an effective strategy to help them get there safely.
2) Update each exposure to reflect the ‘new normal’:
As you work through each risk area, update your risk registry if the likelihood of noncompliance or the potential severity of impact has changed. This ensures any emerging risks are being prioritized and mitigation plans reflect the here and now.
For those who are newer to this process, or are doing this in a more ad hoc fashion, capture potential changes by framing each of your identified risks around the elements of an effective compliance program. Walking through each element helps to flush out any gaps that may have popped up as COVID-19 has changed the way we get things done.
Here’s some questions to consider for each risk you’ve identified:
3) Align on changes (and don’t revert to silos).
Once you’ve updated your risk assessment, make sure you share, and confirm alignment, with your stakeholders. This cross-functional team will be instrumental to work with moving forward as you deploy your renewed strategy.
You’ll likely need continued partnership around new communication, policies, training, or monitoring, which should not be done in a silo once you receive the updates you need. Some common stakeholders of this cross-functional team include risk area owners, subject matter experts, and those in the day-to-day operations where the risks lie.
As you move through this process, here’s some things to keep in mind to avoid pitfalls or gaps:
- There are differing state and local requirements that may impact the way your company does business. For example, some states require masks be provided for essential workers at no cost. Be sure to look into each jurisdiction where you operate.
- While some risk areas in need of updates are more obvious, like cyber and data privacy, don’t discount the potential exposure to discrimination and/or retaliatory behavior as a result of COVID-19, especially for companies with a global footprint.
- It’s important to revisit existing risks in your risk register – but be sure you collaborate with risk and business owners to understand what, if any, new risks have come about in a post-COVID world (e.g., Government contracting or increased risk of fraud). Make sure you also capture any changes in oversight (risk area owners).
- When evaluating risks, it’s easy to get caught up in the high-level risk areas. Take anti-corruption – rather than asking “what’s changed in the anti-corruption area”, work backwards from the risky tasks employees are doing and the new behaviors expected of them. For example, is there a new threshold for expenses that don’t require manager approval?
- Consider areas where risk protocols have changed in light of COVID-19, like third party management and supply chain, especially changes in diligence requirements for third-party vendors.
- Enterprise risk assessments may provide a good gauge of strategic financial and operational risks to the company, but don’t rely on it solely to capture all the emerging compliance risks you’re seeing.
Now’s an important time to distinguish the Compliance department as a leader and collaborative partner. We play a critical role in helping our organization resume normalcy in an ethical and sustainable manner, setting up the pathway for long term success.