As we embrace 2021, we would be remiss to move forward without pulling lessons learned from 2020. We’ve experienced many firsts in the past year – be it COVID-19 and its implications on every aspect of our lives, new regulations and guidance to heed, or heightened calls for change driven by Black Lives Matter, international calls for social justice, and the fundamental need for organizational trust.
We have a lot to reflect on – the lessons certainly are not in short supply. These 7 most popular Risk & Compliance Matters blogs from 2020 focus on:
- How to instill organizational trust
- How to identify risk for disaster planning
- How to prioritize diversity and inclusion efforts
- How to manage whistleblower expectations
- How to prioritize ESG (environmental, social, governance) risk
- How to assess fraud risk and anti-fraud programs
- How to mitigate supply-chain risk
1. Instill Trust in Times of Uncertainty
Bob Conlin, NAVEX Global
In times of uncertainty, we all look towards people and organizations we trust to help guide our actions and decision making. As leaders, we inherently understand our role in building trust and confidence in our organizations’ ability to deliver on customer promises, on our fiduciary duties to investors and as job creators. With 2020’s events barely behind us, our employees continue to look to us for information and guidance, which presents an opportunity that business leaders should not waste.
I’ve set some communications objectives for myself during the COVID-19 pandemic that I think are worth sharing:
- Be transparent. People don’t expect us as business leaders to be omniscient, but they do want and deserve open communication.
- Be proactive. Anticipate your teams’ questions and stay ahead of them. Even if our answer is, “we don’t know yet,” it’s better to acknowledge concerns than ignore them until we have more information.
- Be honest. It should go without saying, but our words matter. It’s natural to want to sugarcoat issues or avoid tough conversations. But when we get through this issue, we want our trust intact.
- Be human. Leaders are not immune. It’s ok to show our human side and empathize with our teams.
- Be hopeful. It’s also our job to inspire. We can be direct about what we need to get through a crisis without dampening the spirits of our teams. Let’s focus on our ability to work together and succeed together.
2. Identify Risks That Can Lead to Disaster
Carrie Penman, NAVEX Global
Most organizations weren’t prepared to maintain the continuity of their business during a pandemic. So when COVID-19 hit, the most companies could do was dust off their disaster recovery plans, and react to the past while taking a series of gambles on an unknown future.
When properly implemented, a solid business continuity plan will reduce the negative business impact of adverse events and make the business more resilient.
Here are six ways to shift from planning for when a disaster strikes to identifying risks that can lead to disasters, which will disrupt company operations:
- Empower your people
- Enlist stars of disaster recovery
- Pay attention to third parties
- Don’t forget compliance
- Plan with ethics in mind
- Make resiliency an organizational initiative
3. Cultivate an Inclusive Workplace
Chai Feldblum, Morgan Lewis
First, focus on your desired outcomes. Have a clear idea of where is it that you're trying to get to. Diversity along what dimensions? What will inclusion feel like?
Second, review and revise, if necessary, your current policies and processes. This is where HR, legal, and compliance should all be engaged together. Because one of the things that many companies don't have yet, though more are doing it, is a respectful workplace's policy as part of their EEO or anti-harassment, anti-retaliation policy. Because you don't want bad behavior going on, or people experiencing unwelcome conduct, even if it's not based on any protected status. You want a culture in which respect is expected. And if people don't act respectfully, there will be consequences.
Third, look at how effective they are. Your sourcing, recruitment, and hiring; your retention, inclusion, and promotion. Also review the diversity of your contractors and suppliers. That sends a message as well.
And the most important thing: remember that progress takes time. Set realistic diversity goals, because you want to reach them.
4. Manage Whistleblower Expectations & Experiences
Kristy Grant Hart, Spark Compliance Consulting
Once an employee has blown the whistle, they want to know what’s going on. Many times the compliance officer is so busy protecting confidentiality and keeping the investigation going that communication with the whistleblower falls to the last priority. In order to manage expectations for the whistleblower, be sure to do the following.
- Discuss timeframe
- Schedule regular check-ins
- Share outcomes
- Check-in three, six, nine, and twelve months later
- Evaluate performance reviews for five years
By setting expectations up front, checking in regularly during the investigation, and following up after the complaint, you’ll allow the whistleblower to feel confident that he or she did the right thing.
5. Prioritize and Mitigate ESG Risk
Mark Thomsen, NAVEX Global
Disclosing climate risk and setting targets to reduce GHG emissions is still relatively new to the business community, but we expect disclosure to accelerate in 2021.
Risk can’t be mitigated if it’s not recognized. Some leading companies have begun addressing climate risk, but the world needs faster uptake. Risk managers will have a better chance of reaching senior executives and the board if they frame climate change as a financial case. To do so, organizations should take these steps:
- Identify climate-related risks and determine your company’s exposure.
- Do not overlook the extended supply chain.
- Begin reporting GHG emissions and establish a net-zero emissions plan.
6. Assess Fraud Risks and Anti-Fraud Programs During COVID-19
Matt Kelly, Radical Compliance
COVID-19 has changed how fraudsters might approach your company. But fraud risk itself — the principles of how it works, and the basic scams that fraudsters try — is nothing new to corporate enterprise. That’s a crucial point to remember as you evaluate what your fraud risks truly are these days, and how to modify your policies, procedures, and internal controls in response.
Understand what’s changed. Ask yourself: How has COVID-19 changed the operations at our enterprise? Where might we be more vulnerable to that confusion, urgency, or unfamiliarity?
Keep employees attuned to risk. Employees will need to be more attuned to fraud risk, and understand what steps they’ll need to take to reduce that risk — and creating that state of affairs typically falls to the compliance function.
Don’t forget leadership. Somebody in the enterprise will need to lead the anti-fraud program.
7. Plan for Risk in Third-Party Supply Chains
Vera Cherepanova, Studio Etica
The onset of COVID-19 has accelerated the broader view of ethical responsibility: now, a company’s ethical credentials are judged on a wider range of ESG requirements.
Whether it’s human rights protection, diversity and inclusion, carbon-emissions reduction or supply chain resilience, it is critical from a legal, commercial, and reputational standpoint to address these evolving expectations.
Rethinking your third-party risk management strategy in light of recent developments should include the following key steps:
- Conduct a comprehensive risk assessment
- Extend your compliance efforts to your supply chain
- Look for synergies between compliance, legal, and corporate social responsibility
With regulatory, commercial, and media attention on the rise, companies will need to rethink their supply chain sustainability strategies accordingly. In the face of increasing transparency and awareness, businesses that have until now operated on a light-touch basis regarding supply chain risk management will be forced to improve their controls.