COVID-19: Rearchitecting for the New Compliance Risk Paradigm

The COVID-19 crisis has exacted a terrible human and economic toll in a short time. Compliance professionals must accept that the risk landscape will simply never be the same again.

Over the past few months, the workplace has changed significantly, and a new normal will soon emerge as companies identify their approach to returning employees to physical offices and facilities. Compliance teams have a unique opportunity to be proactive and prepare for what lies ahead, rather than try and wait out the crisis.

The compliance professional’s role during and after the COVID-19 crisis is threefold:

1. Communicate with employees about how to stay compliant despite the pandemic-driven business shifts with easy-to-follow, prescriptive guidance.
2. Recognize how risk has evolved because of the crisis and bring in a cross-functional team to address identified gaps and monitor new risks.
3. Understand that this new reality may be permanent, and have a plan to re-architect a company’s approach to risk — now and in the future.

All three of these objectives should be on the compliance team’s radar in order to avoid playing catch-up with evolving risks. This pandemic will inevitably bring continued uncertainty. The more proactively teams can anticipate risks and remediate them, the more sustainably their business can grow and navigate these uncharted waters.

The Evolving Risk Landscape

The rise in remote work presents an obvious challenge: How can companies maintain a culture of compliance while mitigating risk when people aren’t in the same location? Moreover, many people have been thrust into temporary roles, making it difficult to ensure they understand the compliance requirements of their new tasks. As offices reopen, day-to-day logistical challenges and safety issues will continue to be paramount.

Additionally, performance pressure on businesses will be exceptionally high in the second half of the year. Employee morale and sentiment might be shaken due to layoffs, furloughs and personal events, yielding greater distraction and less focus on and commitment to the workplace.

Managing risk through the pandemic requires us to accept that the pandemic is fundamentally changing risk. No matter your industry, in order to successfully prepare for the increased risk of cybersecurity, operational, safety, regulatory and reputational issues, consider:

• What policies and best practices must be implemented to keep employees safe — and avoid spreading the virus — in the workplace? What is the plan if someone falls ill? What should managers do if employees don’t comply?
• Which groups are most likely to be under excessive performance pressure? What communication and awareness efforts are in place to make sure that company values stay top of mind?
• What risks from new or revamped processes have emerged and must be addressed (e.g., data privacy risk of employee health information)?
• How are investigations and escalations handled when everyone is remote?
• How do we identify and report conduct or ethics issues effectively in this new, dispersed working environment? What strategy will the organization take to avoid bias or discrimination resulting from COVID-19?
• Are company policies regarding sick leave, benefits, privacy, protective equipment and other COVID-19 concerns in line with updated government, industry, union and parent company regulations?
• And most important of all: What is our plan to train and prepare the workforce for entry into this new normal? How will we determine whether or not they truly understand the changes and know how to apply them?

In this new landscape, data is more critical than ever before. Determining which key risk indicators and triggers must be added to the assessment process will be essential for staying ahead of the curve. Equally important is identifying internal stakeholders and departments that need to be aligned with along the way so employees are getting the same information from compliance and the business. People will have questions and concerns; compliance needs to be there to cohesively provide answers and allay fears.

Redefining and Restructuring Compliance and Risk

This pandemic is a crash course in change management. If your compliance department struggled with risk identification before, this crisis has likely forced a short-term reactive strategy, which isn’t sustainable or suitable for the long run. If you have a mature risk assessment process, you have an opportunity to enhance and re-architect it so that you are leading the change instead of following it.

This unique opportunity not only demonstrates how compliance addresses any future COVID-19 developments, but also shapes compliance’s role in the organization as a business impact driver. When new and evolving risk flares again — even outside of the pandemic — compliance departments can set a standard for surviving the crisis.

4 Strategies to Implement for Success

Working through the COVID-19 risk landscape and reimagining compliance and training processes on the other side may seem daunting when so much is in flux. These four recommendations offer a blueprint for commanding control of existing and new risk while preparing for and mastering the future:

1. Conduct Dynamic Risk Assessments

As already mentioned, compliance professionals must have an immediate idea of what has changed in their risk landscapes. This should include the obvious updates to laws and developments in cyber-risk, supply chain, fraud, and conduct risk, but it also should address concerns that were minor before but are now much bigger due to changes in how the organization will conduct business going forward.

2. Re-Prioritize

The business-as-usual approach to compliance should be void right now in the short term. Pre-pandemic plans and campaign calendars don’t matter in the new risk landscape. When resources are strained, employees’ attention spans are limited and conventional wisdom no longer applies, we as compliance professionals must change our approach.

Focus on sticking to the most critical messages — keep them short, relevant and human. Refocus on monitoring, surveillance and tracking the areas of risk that have increased since March, as well as establishing and strengthening relationships with departments that have been pulled into the risk profile. Everything else can wait.

3. Rewire for Remote

Prior to COVID-19, many organizations operated with compliance staffers or risk area owners monitoring employees who have high-risk functions and responsibility in real time, because it was easier to alert, adjust and educate on the spot. Any mechanisms associated with that strategy have all but evaporated in the remote and socially distanced work environment.

To compensate for this loss, compliance should amplify targeted training, humanize communications, home in on awareness for the top risks and identify the employees that perform risky tasks. More broadly, compliance needs to dispel the myths that remote operations are held to a different standard than on-site operations. The company’s day-to-day reality may have changed, but its values — especially in addressing risk — haven’t and shouldn’t.

4. Architect a Medium- and Long-Term Compliance Strategy

Some COVID-19 issues should take priority, because the world is a giant wildfire and compliance professionals are simply trying to get out of the woods. The fire will stop someday, and organizations will need to replant the forest.

Compliance departments should consider the future as well as the present so that instead of restarting the journey, they incorporate the next steps into what they’ve already achieved. Compliance professionals need to think of all the policies and their applications in a remote environment, because during the medium term, some percentage of your workforce will continue to operate in a nontraditional environment.

Encouraging Compliance

A comprehensive survey by Ethisphere of more than 585,000 employees worldwide found that workers are three to five times less likely to report actual or perceived corporate wrongdoing if they consider the company’s training and communication to be ineffective. In other words, if an organization isn’t serious about compliance training and communications — especially in a time of crisis — their employees also won’t be. The consequences can be disastrous.

Character is tested during times of duress. Even if a company dodges every risk bullet, the damage to its compliance culture will be steep — and possibly irreparable — if the tone at the top departs from a focus on values. This sets the stage for a progressively higher risk of violations over time.

Compliance benchmarking data shows that employees are significantly more likely to report violations to their managers than other channels. To encourage compliance, it’s more important than ever to make sure you train managers on how to respond to violations and escalate them to the appropriate channels. Risk-based, adaptive learning approaches or manager tool kits and job aids can make this easier, as well as maintain alignment with the latest DOJ guidance.

The COVID-19 crisis is a chance for compliance to step up — to choose whether it wants to be an empathetic, collaborative business driver or a cost center that will solve problems after they happen. With a plan to address the present and navigate into the emerging future, compliance professionals will be able to stay ahead of the curve, earn the respect of leadership and business stakeholders and avoid artificial hurdles that derail business recovery and growth.