In April of 2020, we are over a month into a global pandemic that has disrupted the health and livelihood of countless persons across the world. It is too early to know what the future, or ‘new normal’, will look like, or even when it will occur.
While arguments can be made on both sides that a global pandemic is/is not a true black swan event, it is fair to say that the scope and impact of COVID-19 was not expected, and certainly not planned for, by businesses, governments, and individuals around the globe. This pandemic has affected businesses of all shapes and sizes- many in a profound negative economic way. For the fortunate businesses it has not been as economically devastating; rather, it has resulted in a scramble to enable continuance of business, and a possible re-imagining of the business itself.
The focus for businesses now in April of 2020 is, appropriately, taking immediate action to keep business going and support employees. When the worst is behind us, businesses should take the opportunity to do a ‘lessons learned’ on how business functioned during the crisis- including compliance. It is broadly accepted that times of great change lead to compliance risk, for a myriad of reasons. Consider, for instance, supply chains and global trade. For some companies, COVID-19 has led to the need to rapidly align with new suppliers and new customers, and to the manufacture of new products unrelated to their typical line of business or even their business sector. These situations lead to higher risks in working with new third parties from e.g. bribery/corruption, sanctions including beneficial ownership, or EHS perspectives, and also from regulations governing import or export of new products including the applicability of regulations from government agencies not typically encountered (e.g. FEMA), to name but a few.
Compliance risk assessment must not be a ‘one and done’ exercise- it must be reviewed and updated on both a defined schedule and when changes in situation warrant it such as change in external regulations or company business model; certainly COVID-19 surpasses the criteria for reevaluation. Take the time to properly do a compliance risk assessment, and then update the compliance program accordingly. Focus on the highest risks and ensure the framework adequately defines how to prevent, detect, and respond to those risks. And, just as importantly, ensure the framework incorporates learnings from the business during this pandemic as well as during business-as-usual.
Take an honest look at how compliance controls operated during this crisis- were they effective? Were they efficient? Were gaps identified? What went well? Use this information, along with the updated compliance risk assessment, to make your compliance program fit for the future, no matter what the future holds. This action will allow you to weather future storms, hopefully none so great as this current one.