Maintaining an effective compliance programme through COVID-19

July 2020  |  SPECIAL REPORT: WHITE-COLLAR CRIME

Financier Worldwide Magazine

July 2020 Issue


The COVID-19 pandemic continues to influence the operating landscape for organisations across the world. One result of the crisis has been the additional responsibility placed on compliance professionals to identify, mitigate and remediate newly introduced risks to a company’s operations. Business disruptions caused by COVID-19 require the exploration of innovative business approaches to generate sustainable revenue streams. Many of these opportunities focus on alternative business arrangements and go-to-market strategies that could carry substantial compliance risks for a company. These unchartered territories may cause increased misconduct by employees who feel the need to circumvent processes to get back to ‘business as usual’ or onboard a new third party without the appropriate diligence being completed or contractual protections put in place. In addition, while enforcement may have slowed given the challenges of collecting evidence and interviewing witnesses, regulators remain focused on charging corporations and individuals for misconduct and have reprioritised their activities to address criminal conduct related to the pandemic.

Maintaining an effective compliance programme remains important as companies continue to operate throughout the COVID-19 crisis. To drive compliance during this time, companies should consider the issues and measures outlined below.

Establish a practical risk management framework. Many companies’ commercial and operational priorities have changed, and organisations are entering new business areas, whether it is expanding into adjacent industries or entering entirely new markets. As a result, corruption and other compliance-related risks are present. A risk management framework will help identify compliance and reputational risk and assess the company’s strategy for remediating these risks in terms of adhering to applicable laws and the effectiveness of internal controls, policies and procedures. The framework should be implemented in a manner that: (i) allows a company to identify, prioritise and address compliance risks; (ii) evaluates the impact these risks have on business operations; and (iii) considers an organisation’s risk tolerance. These activities are expectations that have been communicated by both US and UK regulators. For example, in its April 2019 guidance – ‘Evaluation of Corporate Compliance Programs’ – the US Department of Justice (DOJ) highlighted the need for companies to take “appropriate steps to design, implement, or modify” compliance programmes “to reduce the risk of criminal conduct”. Similarly, the UK’s Serious Fraud Office (SFO) recently published guidance about how it assesses the effectiveness of compliance programmes. The guidance, which is part of the SFO’s Operational Handbook, considers whether “[t]he commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary”. In addition, the UK Ministry of Justice (MOJ) also recommends monitoring activities be performed by organisations and includes in its UK Bribery Act guidance, “[c]ommercial organisations will therefore wish to consider how to monitor and evaluate the effectiveness of their bribery prevention procedures and adapt them where necessary”.

Do not allow ethical conduct to be compromised. Compliance supports operational resiliency by helping internal business partners identify solutions to business disruptions. During this time of crisis, the inclusion of compliance professionals in discussions regarding key commercial and ‘return to work’ activities is important, as compliance professionals will be aware of what guardrails are necessary to prevent misconduct and ensure internal controls and standards exist to reinforce compliance and address potential risks. In addition to participating in strategic discussions with management and business leaders, compliance teams also should consider increasing compliance communications to employees and external business partners, such as joint venture partners, customers, vendors and suppliers. These communications ought to include reminders on compliance expectations, avenues for reporting concerns and allegations of misconduct, and sharing important information on the company’s pandemic response. Finally, corporate culture helps inform decision making. It is important to reinforce the need for all employees to model the right behaviours. Involve middle and senior management in activities that include frequent messaging encouraging employees to continue to adhere to compliance policies and standards and speak up when potentially improper business activities are identified.

Technology will be a critical tool. Sidelining key compliance initiatives due to budget cuts could have long term and negative implications, including the risk of ongoing non-compliance and misconduct. Instead, companies should consider accelerating certain technology investments to help implement compliance initiatives, increase efficiencies and scale the impact a compliance programme has on a company. For example, videoconferencing can be an effective and low-cost way to facilitate ‘in-person’ compliance training. A third-party compliance due diligence platform can help companies prioritise diligence activities while saving internal resources by utilising a matrixed approach that considers the potential risk a third party may pose to the company.

Third-party compliance should remain a focus. Effective third-party risk management must continue, and an emphasis on taking a risk-based approach is even more imperative when companies want to return to the market as quickly as possible. Companies must prioritise their third parties and focus on those that frequently interact with government authorities or that are critical to implementing commercial initiatives. Ensure that agreements with third parties include robust compliance and audit right language and reflect on whether a standalone compliance certification is necessary. Furthermore, companies must consider implementing the ongoing monitoring of higher risk third parties to proactively identify and address possible compliance issues.

Revisit your monitoring and auditing activities. US and international regulators expect companies to monitor their high-risk agents, transactions and other activities. As risks facing an organisation continue to evolve throughout this pandemic, compliance teams should re-examine what business activities are most susceptible to corruption and other compliance risks, adjust monitoring and auditing approaches accordingly, and implement new policies, procedures and controls as needed. The scope and frequency of monitoring activities will depend primarily on this assessment of risks and the effectiveness of continuous monitoring procedures. For example, companies may be comfortable with some lower risk business areas being evaluated at a future date or participating in self-monitoring requirements. Certain business activities, specifically ones that have government touch points, may require targeted and ongoing monitoring, which can raise red flags almost in real-time.

Keep boards of directors informed of compliance risks. Boards of directors have oversight of a compliance programme and should remain aware of a company’s compliance risks. Compliance professionals are appropriately suited to provide insights to the board on compliance risks during COVID-19 because a compliance programme touches all aspects of an organisation. Boards should also consider collaborating with the compliance team on evaluating a company’s response to business disruptions caused by the pandemic, especially as companies consider the future direction of the business and whether business plans and the company’s compliance programme responded to these disruptions effectively. While boards are generally not meeting in person these days, they are meeting virtually, both by phone and videoconferencing, and can be kept as informed as ever, even in our new reality.

Consider new guidance and resources provided by regulators. As the world begins to emerge from this pandemic, regulators are considering resources to help companies gain solid financial and operational footing. An example is companies receiving funds as part of a government stimulus package. Misuse of these funds can lead to regulatory actions and litigation risk, but regulators are likely to consider the strength of a compliance programme if allegations of misuse arise. How companies receive and distribute these funds should be an important area of focus in the short term, and attention to what type of auditing and monitoring activities are warranted to address potential misuse will be key to avoiding scrutiny by regulators.

During this crisis, compliance professionals are emerging more than ever as key business advisers, helping both internal and external partners drive risk accountability and ownership. Focusing a compliance programme on addressing the most significant risks to an organisation during and following this pandemic will help protect the business and allow companies to emerge post-COVID-19 on solid ground.

William Jacobson is a partner and Sarah Foley is a compliance specialist at Allen & Overy. Mr Jacobson can be contacted on +1 (202) 683 3883 or by email: william.jacobson@allenovery.com. Ms Foley can be contacted on +1 (202) 683 3873 or by email: sarah.foley@allenovery.com.

© Financier Worldwide


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.