As 2022 comes to a close, now is an ideal time to reflect on the developments and challenges this year held for the risk and compliance profession – and there was no shortage of either. The complexity of maintaining compliance in today’s environment continues to elevate the compliance function and demonstrates the critical role these leaders play in their organization’s security, reputation and revenue. While the below list is not exhaustive, this article covers some of the major happenings in 2022 and gives insight into how to prepare for 2023 and the years to come.
Geopolitical risk intensifies
Nearly one year into the war in Ukraine, the impacts continue to be felt around the world. The devastation of this war cannot be overstated – from the loss of life and the physical damage in Ukraine, disruption to the global energy markets and general economic turmoil, recovery will not be swift. One result for organizations conducting business internationally is the need to ensure compliance with the resulting sanctions against the Russian Federation enacted in retaliation for the unlawful invasion of its neighbor.
Staying compliant with sanctions imposed by the Office of Foreign Assets Control (OFAC) and other global enforcement agencies is a challenge for many businesses. Even 10 months into the war, the sanctions environment is still evolving. Even with screening practices already in place, some organizations were still unable to stay compliant and faced the repercussions for violating sanctions. Further, third-party relationships involving global supply chains and other services are perhaps some of the most complex liabilities for sanctions compliance. It requires organizations to design, implement and maintain much more robust due diligence and ongoing monitoring practices.
What is clear is the global risk landscape and compliance with a fluid regulatory environment will remain a challenge in the coming year, and most likely for years to come.
U.S. DOJ’s focus on accountability
In recent months, the U.S. Department of Justice made it clear they will focus on ensuring compliance programs are operating as they should, and expect businesses to demonstrate their efficacy. In March 2022, Assistant Attorney General Ken Polite delivered remarks outlining DOJ expectations. The three main expectations are that compliance programs are:
- Well designed
- Adequately resourced and empowered to function effectively
- Work in practice
To continue to drive this point home, in September 2022, Deputy Attorney General Lisa Monaco delivered similar remarks indicating a focus on creating a culture of compliance. She also addressed policy shifts, such as how prosecutors will consider a company’s prior history of misconduct when the DOJ imposes compliance monitors. The message coming from the DOJ is clear: there must be a culture of compliance that starts with the board; missteps must be reported voluntarily, and if investigated, companies that cooperate will see better results. Keeping pace with these heightened expectations requires clear, consistent policies and communication and accountability at all levels.
For some, the DOJ’s increased scrutiny over compliance operations may seem daunting – after all, who likes being under a microscope? However, the DOJ’s focus also means organizations must pay better attention to compliance. Too often, compliance is still seen as a “check the box” function. But, by drawing public and regulatory attention to how a company operates and stays compliant with applicable regulations, compliance is forced to mature – gaining autonomy and funding to support these efforts as a result. Increased accountability is also now enforced with rules requiring executive compensation claw backs should misconduct be discovered, a measure meant to hold companies accountable and quell executive malfeasance.
Aligning the rest of the C-suite and the board of directors to the mission of creating a culture of compliance, instilling best practices from the top-down, and holding all individuals accountable to ethical behavior and compliant practices has never been more important.
Aligning the rest of the C-suite and the board of directors to the mission of creating a culture of compliance, instilling best practices from the top-down, and holding all individuals accountable to ethical behavior and compliant practices has never been more important.
The CISO and the CCO collaborate to address cybersecurity risk
In March, the U.S. Senate unanimously passed the Strengthening American Cybersecurity Act of 2022, which is still currently awaiting sign-off from the House of Representatives. Whether or not this makes it to President Biden’s desk before the next Congress is an open question, but either way, this shows a prioritized focus from lawmakers on establishing cybersecurity practices and holding negligent organizations accountable.
Relatedly, the SEC proposed new rules to help manage the increased cyber risk organizations face. This is something CCOs should also pay close attention to, and a prime opportunity for collaboration with the CISO. These rules would require public companies to disclose their approach to managing cybersecurity risks and to disclose “material cybersecurity incidents.” Companies would need to outline the policies and procedures used to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise and oversight into the program.
If passed, the SEC disclosure requirements would be best achieved through a strong partnership between the CISO and CCO. But beyond the obvious need for a partnership in this scenario, there is a strong need for ongoing collaboration between the two functions. Recent high-profile enforcements from the Federal Trade Commission (FTC) are an example of how compliance failures and a lack of cybersecurity policies and procedures can have costly consequences. The recent settlements against an online liquor store and an online student services business due to a data breach caused by poor practices demonstrate the critical need for comprehensive training, clear policy and procedures, and regular risk assessments. Taken together, the proposals from the SEC and the enforcement from the FTC, organizations not only benefit from a CISO/CCO partnership, but it may also be vital to stay ahead of the changing threat landscape and increased enforcement.
The need to address cybersecurity extends to businesses of all sizes, which is especially challenging for SMBs. Many smaller businesses lack adequate resources to execute a cohesive strategy to address third-party risk, and two-thirds of organizations with 100-1,000 employees experienced a cyberattack in the prior year. To best manage these challenges, the CISO and CCO should partner to plan for likely scenarios, make business continuity plans, and work together to manage third-party cybersecurity and compliance. Not only will this approach set companies up for success to prevent these issues, but it will also show an earnest effort and likely reduce penalties should an incident occur.
Global whistleblower protection
The whistleblower protection landscape has always been a hot topic among compliance professionals, but the last few years yielded increased global legislation and enforcement. At the time of this posting, we just passed the one-year mark of the EU Whistleblowing Directive taking effect. Harmonizing the EU country transpositions can be a challenge, but it is far from the only whistleblowing protection legislation. The U.K is following suit and moving whistleblower protection legislation forward and Japan introduced protection rules in the last year – just to name a few.
As the EU Whistleblowing Protection Directive continues to be transposed by the member states, companies may be in regulatory limbo and the updates may be difficult to parse. Key challenges of complying with the EU Directive include:
- Accommodating for non-employee reports
- Keeping abreast of transpositions and how they differ among member states
- How to receive, investigate and follow up on anonymous reports
- Complying with the GDPR which regulates personal information which may be included in whistleblower reports
- How to ensure whistleblower protection from retaliation
These challenges may not be unique to the EU Directive as they are all considerations in running a hotline but keeping up with 27 different variations of whistleblower protection laws is a challenge for even the savviest compliance officer. Though the final requirements will vary, as a baseline organizations impacted by the EU Directive should adhere to the minimum requirements outlined and work towards going beyond the baseline – especially as the EU is just one regulatory body imposing whistleblower protection requirements.
Increased third-party risk
Third party risk takes on many forms, and the effect misconduct can have on an organization often results in revenue loss and reputational damage that can take years to recover. Some of the most pressing risks third-parties pose include supply chain disruptions, illegal and/or dangerous labor practices, and cybersecurity breaches that expose sensitive data.
Even well-resourced R&C programs face a major task in ensuring their risk and governance standards are applied consistently. With the potential for thousands of third-party vendors at a given organization, and different business units exploring and entering those relationships, third party governance is a constant challenge. This year, four major third party risk categories underscore this challenge.
First, the business risk third parties pose in the current geopolitical environment was highlighted in part due to the war in Ukraine. While failure to comply with sanctions on individuals and entities has always been a factor of third-party risk management, the current geopolitical environment is far more volatile and expansive than in years past. Businesses need to worry about not just their own sanctions compliance but also their vendor’s.
Second, third-party cyber risk is cause major concern given the amount of access to data vendors usually have to company and/or customer information. When a cyberattack occurs and sensitive information is exposed, the customer doesn’t care where the breach originated. The effects often result in reputational damage or regulatory enforcement which are costly and time-consuming. Protecting your own enterprise is one thing, but monitoring dozens, hundreds, or potentially thousands of vendors for the same level of cyber hygiene and security is a monumental task without an automated risk monitoring capability.
Third, the past few years have been rife with supply chain disruptions, bringing into focus just how much businesses rely on their suppliers. Though many supply chains recovered from the initial COVID-19 disruptions, there continue to be issues that cause major issues from manufacturing to shipping. To best address the supply chain risk third parties pose, businesses must ensure they are prepared for a vendor outage or disruption and be ready to pivot so business is minimally impacted.
Third-party risk is your risk, their reputation is inextricably tied to yours, and the consequences of inadequate diligence and monitoring can be devastating.
Finally, it is readily apparent that in the public lens, your vendor’s reputation is your reputation. Take for example the recent stories concerning the use of child labor of undocumented children in the auto manufacturing industry. These cases are not only highly disturbing, they also notably focus on the major supplier – not as much on the third-party vendor. What this means, of course, is that third party risk and misconduct puts your reputation at stake. Third-party risk is your risk, their reputation is inextricably tied to yours, and the consequences of inadequate diligence and monitoring can be devastating.
Looking ahead
Though we can’t predict the future, we’re committed to providing resources and expert guidance on what risk and compliance leaders should pay attention to. Each year, the NAVEX Top 10 Trends in Risk and Compliance strives to do just that. The 2023 edition will discuss:
- The Whistleblower Landscape – Reporting Trend Changes May Compel Organizations to Reassess Their Programs
- The Next Era of R&C Management: Data-Informed Decisions Through Digital Transformation
- EU Whistleblowing Directive – Trends in Transposition and Adoption
- This Supreme Court Case Will Reverberate Throughout the Compliance and ESG World
- Privacy in 2023 – What to Expect and How to Prepare
- Staying Ahead of ESG Disclosures – What to Expect and How to Prepare
- Addressing Risk, Compliance & Integrity in the Extended Enterprise
- Third Party Risk in the Era of Sanctions Enforcement
- New Expectations of Executive Leadership – How Will You Prove and Certify Your Program Works?
- Joining Forces with Learning and Development Will Improve Ethics and Compliance Education
On January 19, 2023, NAVEX will host the annual Top 10 Trends in Risk and Compliance webinar, with the full publication also available for download that day. Join Chief Risk and Compliance Officer for NAVEX, Carrie Penman, and CEO of Spark Compliance Consulting, Kristy Grant-Hart as they offer expert commentary on what risk and compliance leaders need to know heading in to 2023 and beyond.