Lessons Learned in Compliance Management in 2020

The Compliance Management lessons learned in 2020 are:

• Business and operational integrity and agility. 2020 has stretched organizations to live their values in the face of adversity. Corporate compliance is more than checking off a list of requirements in regulations. Compliance and ethics is about the integrity of the organization. I have been stating for 15 years that I wish I could rebrand the CCO/CECO role to the Chief Integrity Officer (but we already have a CIO executive so this would be confusing). In the midst of economic, health, environmental, and resiliency it has become critical for organizations to walk their talk and not just talk it in context of values. Compliance had to become agile to adapt to a business, regulatory, legal, and risk environment that was changing daily if not hourly.
• Integrated & federated compliance risk management. 2020 has forced organizations to realize that their compliance and ethics risks cannot be managed in silos. Organizations have realized they need what I have called a federated compliance program that spans departments (what I teach in my Compliance Management by Design Workshops). Silos of compliance risk that do not collaborate introduce greater compliance risk. Consider what started off as a health and safety issue with COVID-19 has cascaded into:
  • Resiliency compliance risks. The organization had to adapt to lockdowns and economic constraints. This meant laying off employees, moving people to a work from home environment, and adapting business processes to work with reduced staff. Some employees had to take on multiple roles and therefore more compliance responsibilities and tasks. Compliance had to stay current and adapt in the midst of business change.
  • Labor compliance risks. Laying off individuals is tricky, and the organization had to stay within boundaries of the law but also its own values, integrity, and cultural needs. As employees took on more roles it also introduced segregation of duty conflicts for compliance that needed to be more closely monitored.
  • Harassment and discrimination compliance risks. Moving to a work from home environment change the organization culture and tone. As ‘Zoom’ meetings became the new conference room, individuals working from home were more casual in not only dress but in interactions. Things were being said on these online meetings that never would have been said in a corporate office. Employees needed to realize that the same rules of harassment and discrimination apply in a work from home context.
  • Fraud compliance risks. With economic concern because of the pandemic, good employees who never would have done thought of committing fraud are now tempted. They are concerned about their personal and family finances and are more likely to commit fraud thus fraud risk exposure has increased. With reduced staff to monitor controls and adherence to policies, they may also think their chances of getting caught were slim.
  • Information security compliance risks. With a work from home environment introduced a range of IT security compliance risks that had to be addressed. Compromise of endpoints in home offices could lead to compromise of data, networks, and business systems back in the data centers.
  • Bribery and corruption compliance risks. With constrained supply chains, goods were moving slowly in factories, logistics, and through customs. There is increased compliance exposure to anti-bribery and corruption laws as an employee is more likely to bribe officials/parties to unlawfully expedite their goods over others.
  • Regulatory change. Regulations were a mass of confusion in responding to the pandemic and lockdowns. Some were changed, deadlines pushed out for others, others remained the same. Organizations had to navigate and have agile processes to address changing regulatory requirements in the midst of the crisis.
• Employee engagement and culture. 2020 forced organizations to rethink how they engage employees and develop and enforce a corporate culture of integrity in the midst of a crisis. As business processes and roles changed, so did policies and procedures. As organizations went to update policy and procedures and communicate them to remote employees working from home, they found that policies and procedures were a mess. Most organizations do not even know what policies they have in the environment, and they found there were dozens of policy portals with different policy templates and writing styles. Employee engagement in a remote work from home environment drove many organizations to look for new technologies to engage and communicate policies and awareness.
• Policies are a foundation of compliance. OK, 2020 had a lot to teach us about policies. Besides engagement organizations had to battle rogue and unauthorized policies. Managers at all levels were writing policies to address the crisis and communicating them as such, potentially exposing the organization to liability as a policy sets a legal duty of care. Organizations realized that they had to have central oversight and control of anything understood to be a policy and the responsibilities fell on corporate compliance and ethics to lead this.
• Third-party risk and resiliency. 2020 showed us how exposed the organization is across the extended enterprise. Not only were there increased bribery and corruption risks from third parties, but there were increased information security risks, privacy risks, and human rights and slavery risks in third-party relationships. The extended enterprise was moving to a work from home environment as well causing greater security and privacy exposure. Service providers and outsourced data centers went dark as there were not staffed to maintain them in lockdowns. Factories devastated by sick workers were bringing in child labor and forced labor to get goods made. Organizations had to be agile in governing third-party relationships and ensuring compliance across these relationships. Now the SolarWinds security breach has devastated scores of organizations and government agencies.
• We still struggle with old issues. 2020 has also shown us that we still often struggle with compliance challenges of years gone by. The WireCard scandal in Germany is driving a lot of change in compliance and controls, but it is a reflection of Enron and Worldcom from 18 years back.
• Defensible compliance. 2020 also illustrated the need for defensible compliance. The US Department of Justice Evaluation of Compliance Program Guidelines were updated in June 2020. One of the key elements that stood out is that organizations need a defensible audit trail and system of record on compliance activities (e.g., who accessed policies on the portal).

A need for federated compliance

What is clear is that 2020 has taught organizations they need a federated compliance management strategy.  There is one single department responsible for every aspect of compliance. Today, compliance functions are often scattered and operating independently of each other. There is IT/information compliance, privacy compliance, HR compliance, environmental compliance, health and safety compliance, government contracting compliance, procurement compliance, quality compliance, corporate compliance and ethics, and more.

[bctt tweet=”What can we learn from 2020 and adjust to build a more resilient organization of integrity going forward? – Michael Rasmussen” via=”no”]