Corporate compliance is always a hard job—but now that we’re in a global pandemic where laws, regulations, and organizational strategies are shifting daily, it’s become even more challenging. In our July 15 webinar, A Look Ahead—Perspectives on Compliance in Uncertain Times, Brad Harris, Hanzo’s Vice President of Product, led an extensive conversation about the effects of the coronavirus pandemic, and its persistent uncertainty, on maintaining corporate compliance. This blog post recaps some of the key highlights from that wide-ranging discussion.
What’s Changed—and What Hasn’t—in the Compliance Landscape
Our speakers agreed that the immediate shift from traditional office work to remote work necessitated a corresponding change in how compliance professionals approach their jobs. Alexia J. Maas, Senior Vice President, General Counsel at Volvo Financial Services, noted that “It’s been interesting to watch that develop over the past weeks and months. The transition to remote work has highlighted the need for and importance of personal contact, whether that contact is face to face, over the telephone, or on a video conference. I believe that shift will be an interesting antidote to the past epidemic of email use and abuse. Now that we’re turning back to verbal contact, I expect that will lead to new efficiencies.”
Ana-Paola (AP) Capaldo-Aoun, the Director and Ethics and Compliance Officer for TechData, had seen two particular changes since the onset of the pandemic. “For one, many of the technology-dependent controls we have in place as companies were suddenly no longer there when we moved out of the office. We’ve needed to shift the way we’re leveraging technology to detect risk from a remote environment. Second, we’re also leveraging technology more to implement aspects of our program around training, communications, and outreach. There were a lot of human contacts that happened in our compliance programs that just can’t happen right now, so we’ve had to get really creative with the resources we do have.”
Our third speaker, Tom Fox, a Compliance Evangelist and the Founder of the Compliance Podcast Network, suggested that we focus on both how a company does business and consider how compliance does business, since its customers are the company’s employees. He asked, “How do you communicate with a remote workforce? How do you keep compliance front and center without inducing compliance fatigue?” He recommended that compliance professionals collaborate with their communications specialists about effective messaging. “You have to encourage people to speak up and raise their hand where they might have previously been able to come down the hall to talk with you.”
Fox also provided an update on recent changes to the compliance landscape and shared updated regulatory guidance. In June, he noted that the Department of Justice had released the 2020 Update to its Evaluation of Corporate Compliance Programs guide, which reemphasized the need for risk assessments, data, and continuous monitoring and improvement. Shortly afterward, the DoJ and the Securities and Exchange Commission released the second edition of “the bible,” the Resource Guide to the U.S. Foreign Corrupt Practices Act (FCPA).
Though, one thing hasn’t changed at all: regulatory authorities’ insistence that compliance professionals find a way to do their job. Fox observed that the new guidance was “overlaid in the worst health crisis and economic downturn certainly in my lifetime. So, not only have your risks, and the guidance changed, but regulators are expecting you to continue to do effective compliance. You’re not getting a pass because of COVID-19.” Capaldo-Aoun agreed, pointing out that “just because you’re in a crisis, that doesn’t mean that you don’t stick to your core tenets and values. You have to get scrappy.” Maas added, “We can’t plan forward by months or years; we have to go week by week. The changing environment has led to regulations that are very ambiguous and likely to be frequently amended. Keeping up is a challenge.”
Updated Risk Assessments Are Critical
In the face of these challenges, our speakers emphasized the need to revisit compliance risk assessments. As Capaldo-Aoun said, “Your risk assessment doesn’t need to be fancy, but you need a touchpoint. Are you still devoting resources to an area that isn’t as risky as it typically would be, like travel and entertainment? Maybe you need to pull back on that and focus your resources on other types of risks. Many of us are busy with reactive things, but it’s important to take a step back and make sure you have a strategic plan that you’re executing on. Of course, you should always document the choices you’re making and why you’re making them, and documenting your wins.”
Maas echoed that sentiment, adding, “Sadly, it’s a fact that people will take advantage in a crisis when attention is diverted. It means that the risk of problems like theft, fraud, money laundering, and cyberattacks is heightened. And on a corporate level, as businesses fight to survive, there’s an increased potential for bribery and corruption issues. We in legal compliance functions need to be really on guard and helpful to the businesses we support, reminding them of the risks and safely navigating what they need to do to keep the business running. People think that it’s not the time for a training session when they’re in crisis management—but it really is.” She added, “Focus on training in concise, interactive, and quick bursts. We need to be a little more creative in delivering that message instead of relying on lengthy guidance documents that no one has time to read.”
New Approaches to Compliance and Key Takeaways
As we wrapped up the webinar, we asked our speakers to summarize any helpful approaches and essential takeaways they’d learned from the first two quarters of 2020. Maas recommended that compliance professionals stay calm. “Don’t let yourself be overwhelmed by the task in front of you. I always like to build compliance programs backward. Start at the end with what you’re trying to achieve. What’s the goal or standard you’re trying to meet? Keep that in focus as you build your program backward, in chunks, with each step leading to the next. That makes it easier to achieve the whole program and maintain ongoing monitoring and compliance. And don’t overcomplicate; simplicity and agility are key right now. Don’t strive for perfection when good is good enough.”
Fox kept his key takeaway clear, noting, “The three most important compliance rules are document, document, document. Any change you make, any policies you implement, any endorsements, document them. If you don’t document it, in a regulator’s eyes, it never happened.”
Capaldo-Aoun closed out the session by recommending that compliance professionals think through how their business processes have changed and how they might change in response. “If you’ve always wanted to do something outside of the box, now might be the time to try again. Decision-makers are rethinking the way they deploy resources, and an idea like gamification or virtualized training now might be mainstream. Reframe your thinking: don’t focus on what you can’t do anymore, but on what you can do. And be very intentional not just on the what but on the how and why.”
This webinar was packed with useful content beyond what we’ve recapped here, touching on data analytics, privacy and confidentiality, and the dangerous “culture of override.” Fortunately, you can watch a full replay on demand.
To learn more about the new guidance, you can also get a copy of the white paper we’ve produced explaining the DoJ’s 2020 Update on the Evaluation of Corporate Compliance Programs.
Interested in documenting and preserving your compliance data?