COVID Risk Events and DOJ Compliance Expectations

To say it’s a challenge might be an understatement: Many managers are wondering to what extent their regulators will allow them to modify compliance standards during COVID-19. With a large share of essential staff working from home, maintaining compliance and audit processes is difficult.

The answer is that financial regulators are sympathetic but firm – the SEC, OCC, Federal Reserve, the Bank of England, and others are providing few allowances to the businesses they regulated.

In fairness, regulators are going out of their way to understand the challenges involved. They want to be as flexible as they can to help organizations. They are also keen to identify and address potential risk events that will likely have happened as people continue to work from home.

In the current environment, it’s striking that the US Department of Justice (DOJ) has updated its expectations of Corporate Compliance Programs during the pandemic, providing its blueprint of what ‘good’ compliance looks like.

Its significance lies in the way that members of the global regulatory community work together to address shared goals. The DOJ’s action is likely to influence and define expectations of what makes up a good compliance program across the board among other regulators.

A timely announcement

Infographic: Guidelines for Effective Vendor Onboarding

Mitigate risk while building strong vendor relationships.

The DOJ announcement is timely because of the issue of risk events that are highly likely to have taken place with so many people working from home. It provides a guide to help organizations consider where such risk events will have occurred, and how best to mitigate them.

It also provides a framework to help organizations think about those core business processes that affect their compliance, and which rely on manual processes. The ‘new normal’ everyone is facing will rely on work-from-home strategies more than before the pandemic, even once we’ve emerged from it, and manual process that only work when everyone is in the office will need to be among the soonest to be removed.

The DOJ guidelines pose three questions:

1 • Is the compliance program well-designed?



  • Compliance program design
  • Risk appetite
  • Risk-tailored resource allocation
  • Updates & currency
  • Applying lessons learned
  • Policies and procedures
  • Design
  • Comprehensiveness
  • Accessibility
  • Responsibility for operational integration
  • Controls & gatekeepers
  • Training and communication
  • Risk-based training
  • Training effectiveness
  • Communication about misconduct

2 • Is the program managed in good faith?



  • The commitment of middle and senior management
  • Conduct at the top
  • Shared commitments
  • Oversight
  • Autonomy and resources
  • Seniority & structure
  • Experience & qualifications
  • Funding & resources
  • Data resources & access
  • Autonomy from the business
  • Management of the outsourcing of compliance functions where necessary
  • Incentives and disciplinary measures
  • HR processes
  • Consistent application
  • The incentive system

3 • Does the compliance program work in practice?



  • Continuous improvement, periodic testing and review
  • Internal audit
  • Control testing
  • Evolving updates
  • A culture of compliance
  • Investigation of compliance
  • A fully scoped investigation by qualified personnel
  • Responses to investigations
  • Analysis and remediation of underlying misconduct
  • Root cause analysis
  • Prior weaknesses
  • Payment system weaknesses
  • Vendor management
  • Prior indications
  • Remediation
  • Accountability

The DOJ document is valuable, as it provides a clear picture of what a member of the regulatory community perceives as good practice. It supplies a template for any organization looking to return to the office, post-COVID-19, and streamline their GRC regime.

Its timeliness owes to the fact the hybrid office working/home working model will bring to light a range of issues that will compromise compliance, auditability and transparency, caused by manual processes and unapproved technology workarounds. Organizations will need to move swiftly to fix a range of risk and compliance problems related to policy management, compliance management, end-user computing applications, supply chain management, as well as the reporting and management of all these aspects.

Explore Mitratech GRC Management

Schedule a demo, or learn more about our truly unique end-to-end solutions suite for risk and compliance.