So, that happened.
Finally, 2020 is (almost) over. Rarely have so many been so happy to see a year go. COVID-19 shaped almost every aspect of our lives these past 10 months. But before we mercifully toss this year down the memory hole, it’s important to take stock. While many COVID-necessitated practices will end with the vaccine, some changes are here to stay. The pandemic also reinforced valuable messages – especially within the field of risk management – that we had been failing to heed for years.
In this pandemic season we are rightfully Scrooges all, spouting a reflexive “bah humbug” to all things coronavirus. But we should embrace some of the hard lessons of this difficult year … or risk being haunted by past, present, and future compliance failures when the next crisis makes its unwelcome visit.
Avoid the Ghost of Risk Management Failures Past
This year, COVID-19 pointedly revealed the importance of proper risk management by showing us sharp, painful memories of good advice ignored and poor decisions made. Supply chain management and business continuity are looming specters of two frequent points of failure in 2020.
Supply Chain Management
COVID-19 introduced a sudden disruption to operations, and many firms were unable to find suppliers. This led to a haphazard onboarding of replacements, and many businesses are still exposed to a variety of legal, reputational, and financial risks today.
To effectively manage these risks, organizations are looking ahead to adopt a holistic approach to third-party risk management in 2021 if they have not done so already. An integrated approach requires compliance officers and risk managers to work across functions, sometimes with departments outside their traditional scope, such as the IT and HR departments. Risk management should also play a part in locating and onboarding alternate third-party suppliers:
- Dig deep into your third-party relationships. When reviewing suppliers, look beyond primary relationships. Gain visibility into 2nd and 3rd tier suppliers.
- Continuously monitor all third parties to detect potential disruptive issues.
- Leverage mechanisms like contract clauses and right-to-audit to make sure you have enough information about who your organization is doing business with.
- Use technology solutions to quantify and support your efforts.
Planning for the unknown is a daunting task – which is why so many organizations don’t properly do it. But having a plan to avoid risk and disruption to business activities is a critical component of good business continuity management. The business continuity plan should be distinct from your disaster recovery plan. The latter helps restore business operations after a critical event like a hurricane or civil unrest, while the former aims to anticipate issues and disruptions before they occur.
Take the following steps to begin building a business continuity program:
- Identify and catalog processes critical to business operations. Detail what people and departments are involved in these processes, as well as what critical resources are involved. List all dependencies.
- Conduct risk assessments as the foundation of a mitigation plan. Assessments should occur at fixed, regular intervals, and after significant changes such as mergers, new business models, etc. When conducting an assessment, take your time, identify risks for all stakeholders, and speak to the risks specific to your organization.
- Craft recovery objectives by determining how quickly your processes must return and how much data you can afford to lose. Consider recovery time objectives (the amount of time it will take to restore a process or service) as well as recovery point objectives (to determine how frequently data backups should occur, measured in hours).
- Conduct a business impact analysis to quantify the potential financial impact of an interruption to critical business operations.
- Test your business continuity plans through tabletop exercises and simulations.
Refer to NAVEX Global’s Business Continuity Toolkit for more information on how to build a business continuity program.
The pandemic prompted many businesses to rethink how they approach risk management moving forward – and that hard work shouldn’t be forgotten or abandoned. If you employed any of these practices during the pandemic, keep them up; they’ll help you when the next political, ecological, or economic disaster hits. If you haven’t adopted any or all of these, make it your New Year’s Resolution to do so.
Anticipate the Ghosts of Compliance Failures Yet to Come
Regulators as well as businesses suffered from the impact of the pandemic. The beleaguered Environmental Protection Agency declared it would not pursue any compliance violations it deemed caused by the pandemic – a move that Compliance Week’s Jaclyn Jaeger called one of the top ethics and compliance failures of 2020. COIVD-19 closed courtrooms, slowed investigations, and delayed the convening of grand juries, which necessarily slowed prosecutions. The number of Department of Justice FCPA-related case filings in 2020 was half that of the previous year; the number of successful prosecutions declined from 29 to 5.
That doesn’t mean the DOJ wasn’t busy in the compliance field, however. In June, the agency issued its latest Guidance on Corporate Compliance Programs. This edition placed even more emphasis on the need for businesses to fund and empower their compliance programs. The SEC also kicked its Whistleblower Program into overdrive, awarding almost as much in the past year as it has in the rest of its 8-year existence combined.
These actions were at least partly responses to the COVID-19 pandemic. Faced with a reduced capacity to uncover and prosecute compliance failures, both agencies leveraged existing tools and mechanisms to incentivize self-policing. These changes are unlikely to dissipate, even after the pandemic ends. Consequently, compliance programs need to adopt the following best practices:
- Implement a strong hotline and incident management program to identify and address problems before they require the attention of outside regulators. Of course, having a good solution isn’t enough; you must ensure that your employees and third parties are aware of your reporting system and how to use it.
- Gather lessons learned through your company’s own prior issues, those from other companies, program audits and benchmarks to assess and improve your compliance program. Use performance-based metrics to test, monitor and measure the impact of your compliance practices.
- Make a conscious effort to build leadership support for your risk and compliance program. Recent studies show programs that explicitly prioritize securing leadership support in the next 12 months are 20% more likely than their peers to report “good” to “excellent” program performance.
- Conduct ongoing assessment, review, and updates. Make use of periodic risk assessments and program audits, as well as continuous monitoring of third parties.
Don’t Forget the Reason for the Risk and Compliance Season
While the ghosts of past and future failures undoubtedly deserve attention, the biggest challenge for most of us is still the present: Many risks remain as the pandemic continues to rage, and civil unrest is still happening.
The demands of the moment can be overwhelming, especially when compounded by newer mandates like risk-based approaches, performance-driven metrics, and ongoing monitoring and review. It’s easy to forget the mission at the heart of our profession: to build ethical workplaces that enable our coworkers to bring their whole, best selves to work. As Jerry Greenfield, co-founder of Ben and Jerry’s Ice Cream said in his NAVEX Next keynote presentation Ethics at the Heart of Successful Business:
“It's really tough not to get bogged down. There's so much day-to-day stuff coming at you that it's hard to keep the big picture in mind all the time. You have to force yourself to do it. You want to be doing things that you know are right, that allow you to sleep well at night… but you can't always control how things turn out. In fact, you can never control how things turn out. But if you're doing what you think is right, it's the best you can do, you won't have any regrets.”
So, as we say goodbye to the year that was and brace ourselves for the one to come, consider what you’ve accomplished, and what you’ve overcome. Take a moment to feel good – really good – about what you do and why you do it. This year more than any other, you’ve earned it.