Lessons Learned in Compliance Management in 2020
What have we learned from 2020? I think all of us have learned quite a bit in both our personal and professional lives. 2020 has stretched us as individuals and as organizations in various and unexpected ways.
There certainly was a lot of tension, reaction, loss, trials, and tribulation. But there are also positive aspects of agility, adaptation, innovation, and collaboration. It has been a year of health and safety, environmental, information security, conduct, and leadership disasters, but also a year of metamorphosis. As we look to 2021, we all hope for a phoenix rising out of the ashes to take on new heights of ingenuity and advancement.
2020 has its share of business challenges. The year started with the devastation in the Australian wildfires (and later California’s), then entered COVID-19 and worldwide lockdowns and economic and health and safety crisis. Not to be outdone, we have major scandals, regulatory change, business change, and misbehavior. We now conclude the year with a major information security breach devastating government and major organizations in the SolarWinds incident.
From a compliance and ethics angle, what can we learn from 2020 and adjust to build a more resilient organization of integrity going forward?
The Compliance Management lessons learned in 2020 are:
- Business and operational integrity and agility. 2020 has stretched organizations to live their values in the face of adversity. Corporate compliance is more than checking off a list of requirements in regulations. Compliance and ethics is about the integrity of the organization. I have been stating for 15 years that I wish I could rebrand the CCO/CECO role to the Chief Integrity Officer (but we already have a CIO executive so this would be confusing). In the midst of economic, health, environmental, and resiliency it has become critical for organizations to walk their talk and not just talk it in context of values. Compliance had to become agile to adapt to a business, regulatory, legal, and risk environment that was changing daily if not hourly.
- Integrated & federated compliance risk management. 2020 has forced organizations to realize that their compliance and ethics risks cannot be managed in silos. Organizations have realized they need what I have called a federated compliance program that spans departments (what I teach in my Compliance Management by Design Workshops). Silos of compliance risk that do not collaborate introduce greater compliance risk. Consider what started off as a health and safety issue with COVID-19 has cascaded into:
- Resiliency compliance risks. The organization had to adapt to lockdowns and economic constraints. This meant laying off employees, moving people to a work from home environment, and adapting business processes to work with reduced staff. Some employees had to take on multiple roles and therefore more compliance responsibilities and tasks. Compliance had to stay current and adapt in the midst of business change.
- Labor compliance risks. Laying off individuals is tricky, and the organization had to stay within boundaries of the law but also its own values, integrity, and cultural needs. As employees took on more roles it also introduced segregation of duty conflicts for compliance that needed to be more closely monitored.
- Harassment and discrimination compliance risks. Moving to a work from home environment change the organization culture and tone. As ‘Zoom’ meetings became the new conference room, individuals working from home were more casual in not only dress but in interactions. Things were being said on these online meetings that never would have been said in a corporate office. Employees needed to realize that the same rules of harassment and discrimination apply in a work from home context.
- Fraud compliance risks. With economic concern because of the pandemic, good employees who never would have done thought of committing fraud are now tempted. They are concerned about their personal and family finances and are more likely to commit fraud thus fraud risk exposure has increased. With reduced staff to monitor controls and adherence to policies, they may also think their chances of getting caught were slim.
- Information security compliance risks. With a work from home environment introduced a range of IT security compliance risks that had to be addressed. Compromise of endpoints in home offices could lead to compromise of data, networks, and business systems back in the data centers.
- Bribery and corruption compliance risks. With constrained supply chains, goods were moving slowly in factories, logistics, and through customs. There is increased compliance exposure to anti-bribery and corruption laws as an employee is more likely to bribe officials/parties to unlawfully expedite their goods over others.
- Regulatory change. Regulations were a mass of confusion in responding to the pandemic and lockdowns. Some were changed, deadlines pushed out for others, others remained the same. Organizations had to navigate and have agile processes to address changing regulatory requirements in the midst of the crisis.
- Employee engagement and culture. 2020 forced organizations to rethink how they engage employees and develop and enforce a corporate culture of integrity in the midst of a crisis. As business processes and roles changed, so did policies and procedures. As organizations went to update policy and procedures and communicate them to remote employees working from home, they found that policies and procedures were a mess. Most organizations do not even know what policies they have in the environment, and they found there were dozens of policy portals with different policy templates and writing styles. Employee engagement in a remote work from home environment drove many organizations to look for new technologies to engage and communicate policies and awareness.
- Policies are a foundation of compliance. OK, 2020 had a lot to teach us about policies. Besides engagement organizations had to battle rogue and unauthorized policies. Managers at all levels were writing policies to address the crisis and communicating them as such, potentially exposing the organization to liability as a policy sets a legal duty of care. Organizations realized that they had to have central oversight and control of anything understood to be a policy and the responsibilities fell on corporate compliance and ethics to lead this.
- Third-party risk and resiliency. 2020 showed us how exposed the organization is across the extended enterprise. Not only were there increased bribery and corruption risks from third parties, but there were increased information security risks, privacy risks, and human rights and slavery risks in third-party relationships. The extended enterprise was moving to a work from home environment as well causing greater security and privacy exposure. Service providers and outsourced data centers went dark as there were not staffed to maintain them in lockdowns. Factories devastated by sick workers were bringing in child labor and forced labor to get goods made. Organizations had to be agile in governing third-party relationships and ensuring compliance across these relationships. Now the SolarWinds security breach has devastated scores of organizations and government agencies.
- We still struggle with old issues. 2020 has also shown us that we still often struggle with compliance challenges of years gone by. The WireCard scandal in Germany is driving a lot of change in compliance and controls, but it is a reflection of Enron and Worldcom from 18 years back.
- Defensible compliance. 2020 also illustrated the need for defensible compliance. The US Department of Justice Evaluation of Compliance Program Guidelines were updated in June 2020. One of the key elements that stood out is that organizations need a defensible audit trail and system of record on compliance activities (e.g., who accessed policies on the portal).
A need for federated compliance
What is clear is that 2020 has taught organizations they need a federated compliance management strategy. There is one single department responsible for every aspect of compliance. Today, compliance functions are often scattered and operating independently of each other. There is IT/information compliance, privacy compliance, HR compliance, environmental compliance, health and safety compliance, government contracting compliance, procurement compliance, quality compliance, corporate compliance and ethics, and more.
To be agile in the midst of a changing and dynamic business world requires collaboration across these departments / roles / functions of compliance. 2020 has shown us that the CECO needs to step up and lead an organization-wide collaboration and strategy on federated compliance across these functions.
2020 also has shown us that manual compliance processes or siloed technology solutions slow down an organization that needs to be agile. A federated compliance strategy that is agile also requires an integrated compliance process, information, and technology architecture that enables the organization to greater levels of efficiency, effectiveness, and agility in the midst of chaos and change.