All successful compliance programs depend on an astute risk assessment. That’s hard enough to deliver under the best of circumstances — and COVID-19 leaves compliance officers performing risk assessments under some of the worst.
Clearly fresh risk assessments are necessary. COVID-19 has transformed a host of business operations, and that means a host of business risks have changed, too. At the same time, however, your ability to assess those risks has come under strain, often in very practical ways. Anyone who has called into a Zoom meeting with spotty wifi service already knows this.
So what does the routine of risk assessment look like today, with COVID-19 shredding traditional risk profiles and trapping everyone at home? Let’s consider a few points.
Start by thinking about risks.
It’s easy to say, “COVID-19 changed everything!” … but think about what that really means. The rise of a public health threat caused companies to change their operating procedures — so how do those new procedures change compliance risk?
That’s the first question your risk assessment needs to ask, and you’ll need to ask it of the entire enterprise. Even small departments or geographic units that typically wouldn’t be in scope for a risk assessment now will need to be scope, at least for a preliminary questionnaire to help you understand the new risks rising under the company’s feet.
For example, perhaps the pandemic has forced your whole procurement team to work remotely, and the company trimmed 5% of the workforce amid declining revenue. That’s a double-whammy of cybersecurity risk for handling confidential data at home, and fraud risk if layoffs have weakened segregation of duties.
Your risk assessment will also need to pay more attention to external forces swirling around your enterprise, too. If the company has scrambled its supply chain to source materials closer to home, that’s new vendor risk. If customers are shifting from retail purchases to online sales, that’s data privacy risk.
And, of course, the regulatory climate itself is changing, and the risk assessment will need to consider that, too. Regulators around the world are on the prowl for COVID-19 fraud, and we’ve already seen several of them happily announce indictments against companies and individuals alike.
Consider how to get a risk assessment done.
Once those preliminary risk questionnaires are returned with the inevitable portion of troublesome answers, you’ll need to follow up more thoroughly with the business unit — which means, for better or worse, risk assessment via video meeting.
The better: compliance officers won’t need to travel, and all standard video meeting software now does allow participants to share screens, swap data, and converse all at once. Many times, an interaction like that is a perfectly fine way to walk through how a business process and its accompanying internal controls actually work. And you can do it in your slippers.
The worse: in at least some instances, a compliance officer would want to be physically present — say, to have a difficult discussion about executive oversight, piggy-backed onto a training session you’d be leading in that location anyway. In the work-from-home era, we lose some of that ability to disarm and win over skeptical employees. It’s an unfortunate price to pay during these times.
In the work-from-home era, we lose some of that ability to disarm and win over skeptical employees. It’s an unfortunate price to pay during these times.
Compliance officers might also need to lean on any compliance ambassadors or champions you might have working around the enterprise, especially if you’re trying to assess risks in some part of the business that isn’t accustomed to the attention or where communication is difficult.
In those circumstances, compliance officers will need allies closer to the business unit who can help you get the information you need. That is a job tailor made for compliance champions, if you’ve been able to build such a network.
Think about the policy changes you’ll need to implement.
A thorough risk assessment will find weaknesses in policy or internal control; considering how profound a transformation COVID-19 has been, that’s unavoidable. Then comes the task of remediating those weaknesses.
Again, you’ll need to work with other business units in the first and second lines of defense. Indeed, collaborating with other parts of the enterprise is even more important today, because remote work has challenged routine business operations so much. Those other executives will know what’s possible under present circumstances.
The real danger is that compliance will push changes that aren’t feasible — leading employees to the dreaded perception that compliance is an obstacle to their “real jobs,” which are hard enough right now.
Having conversations with business unit leaders about how to change policy or controls might seem like a self-evident step. I emphasize it, however, because it underlines the importance of the next step: documenting the changes you decide to implement.
After all, at some point in the future, the company’s actions today might end up under regulatory review. Those regulators will want to know why your company changed the policies or controls that it did, which means documenting those changes today. Memos, emails, and other supporting materials should all go into one central repository so you can show your homework, should that request ever come.
To learn more, catch the podcast, The Urgency of Risk Assessments & Policy Management, with Matt Kelly and Tiffany Archer, Regional Ethics & Compliance Officer at the Panasonic Avionics Corporation. This is part of NAVEX Global’s “Coping Through COVID” series.