This is a guest post by Ramsey Kazem, East Coast Vice President, Spark Compliance Consulting
“So, boys, what did we learn?” That was the question my football coach would ask the offense after our first couple of possessions. He was asking for our perspective on our game plan. What was working? What was not? What was the defense doing that we did not expect? What adjustments do we need to make to more effectively move the ball down the field and score? It was a simple question, but an important one. Our answers often made a difference between winning or losing.
For the past three months, the COVID-19 shutdown has challenged businesses across the country. Business as usual was anything but usual. For many companies, tried and true business practices were suddenly unworkable, ineffective, and, in some instances, illegal. To keep their business running, these companies were forced to implement new and untested processes, override existing procedures, and invent creative solutions to meet novel problems. While these challenges brought hardship, it also caused companies to be innovative and more open to changing the ways they conducted their day-to-day business activities.
While most of us are ready to return to life as normal, does that mean we should go back to the pre-COVID-19 ways of doing business? Maybe. But before we do, we as compliance professionals must ask the simple, but important, question: What did we learn?
Do Not Let This Crisis Go to Waste
As we begin the slow process of re-integrating into a post-COVID-19 world (hopefully!), it may be tempting to discard the past three months as a once-in-a-generation occurrence and return to business as usual. This perspective, however, overlooks the possibility that this crisis, like most crises, has a silver lining. That is, the chaos and uncertainty of the past three months provided a real-world case study of the effectiveness of your company’s compliance game plan. The crisis likely also provided some important insights and lessons for improving the overall effectiveness of the compliance program.
As companies across the country get back to work, compliance teams should initiate a “what did we learn?” campaign to better understand the business activities over the past three months. This campaign should solicit information from a cross-section of the company (including the various business functions, departments, and units) and focus on the following topics:
Disregarded Policies and Procedures
As companies scrambled to adjust their business processes to comply with COVID-19 related restrictions, some existing compliance-related policies, and procedures became unworkable and were overridden. Compliance should inventory these policies and procedures and for each: (1) summarize the issue rendering the policy or procedure cumbersome or ineffective, (2) quantify how many times the policy or procedure was overridden, (3) determine whether the policy or procedure as written is absolutely necessary and, if not, is there a more effective alternative, and (4) ascribe a level of added risk created by overriding the policy or procedure.
In performing this exercise, the compliance team may identify policies and procedures that are unnecessary, ineffective, or redundant. These policies and procedures should be withdrawn. Alternatively, some policies and procedures may need to be tweaked to address business realities that did not exist at the time of implementation. These policies and procedures should be adjusted so that they are more business-friendly and effective in achieving their purpose. Finally, some of the disregard policies and procedures may be critical in mitigating certain compliance risks. In that instance, the compliance team should identify the transactions that escaped these critical standards and determine whether additional scrutiny is warranted. These transactions may need to be reviewed, monitored, or audited based on the type, frequency, added risk of the disregarded policy or procedure.
As a final point, the compliance team will need to assess the process for suspending or overriding the compliance-related policies and procedures. Did the company employ a systematic process for making these decisions or did it take an ad hoc approach? Was compliance consulted in these decisions? The answers to these questions may trigger the need for creating a new “policy override” process that properly balances the need for flexibility in crisis without exposing the company to unnecessary risk.
New Business Processes
In responding to restrictions imposed by the government (federal, state, and local), many companies were forced to implement new business processes for delivering their goods and services – even if these processes were untested. For example,
fine-dining restaurants converted their operations to offer take-out, curbside, or delivery services
companies that traditionally operated out of large office buildings quickly implemented remote working alternatives
companies reliant on in-store retail sales transitioned to web-based sales or delivery of their products
in-person service providers created virtual appointments and sessions
Companies also adjusted smaller-scale processes in day-to-day business activities. For example, pre-COVID-19, most internal investigation interviews were conducted in-person in an office or conference room. Today, most interviews are conducted via a video conferencing platform or telephone. Also, processes that required wet signatures on documents have been altered to allow for electronic signatures or email acknowledgments. Finally, given the number of employees working from home, policies for allowing the use of personal devices to transact company business have expanded substantially.
These new business processes should be reviewed by the compliance team to evaluate whether they impact compliance-related risks. For each, the compliance team should (1) summarize the new business process, (2) identify the compliance risk area(s) impacted, and (3) evaluate whether existing compliance policies and procedures adequately address the compliance-risk presented by the new process.
The review of information related to new business processes will help inform the compliance team as to whether new compliance-related policies and procedures need to be implemented to address the new business processes. Also, this information will help determine whether certain transactions require additional scrutiny or monitoring.
Temporary or Permanent Changes
In reviewing both the disregarded policies and procedures and the new business processes, the compliance team must assess whether the changes are temporary or permanent. This is significant because the type of change will determine the type(s) of mitigation activity to be performed. Temporary changes only require limited mitigation. That is, a temporary change – whether a disregarded policy and procedure or a new business process – only impacts the transactions active during the limited time the change was in place. The compliance team, therefore, will only need to segregate the applicable transactions for additional scrutiny (e.g., on-going monitoring or auditing). Permanent changes, on the other hand, require a broader mitigation strategy as they will impact all current and future transactions subject to the changed policy, procedure, or process. The mitigation strategy in these instances may include updating the compliance risk assessment, reallocating resources and personnel, developing new policies and procedures, creating new metrics, and providing additional training.
In the end, the goal of the “what did we learn?” campaign is to better understand how the compliance program performed in a difficult and chaotic time, what lessons were learned, and what adjustment should be made to more effectively manage and mitigate the company’s compliance risk in the future.
The full impact of COVID-19 on business is still unknown. However, as companies get back on their feet and reemerge in the post-COVID-19 world, the compliance team must assess the state of its compliance program and decide what improvements can be made to more effectively manage and mitigate its compliance risks moving forward. This process starts with a simple question: What did we learn?