Risks Your Compliance Function Should Look out for Right Now


Post By: Mary Shirley, Head of Culture of Integrity and Compliance Education, Fresenius Medical Care North America

The ways in which we do business had to be adapted to best suit the global crisis we found ourselves in during the COVID-19 pandemic. While entirely understandable that we would need to move with the circumstances, there is also a need for Compliance functions to be astute about the risks those changes may have presented.

Here are some of the areas to re-visit right now:

  1. So-called low risk stakeholders and geographies. You know the ones I’m talking about, countries that are in the top ten least corrupt on the Transparency International Corruption Perceptions Index or leaders who are gushing about Compliance and make you think, yeah she’s savvy, I know we’re in good hands out there. It can be tempting to leave these business lines well alone and instead focus on the ones you consider high risk. Even more so during a pandemic when site visits are out of the question for the most part right now. However I would urge you to treat the areas you consider to be low risk with the same kind of initiatives you give to the business areas that keep you up at night, in respect of monitoring and review. When we fail to address this aspect of a Compliance program adequately, there can be numerous controls issues. That business leader who walks the walk about bribery? That doesn’t mean the controls in her business lines are necessarily effective. Controls failures don’t sound as egregious as blatant bribery but they can lead to destruction if left unchecked and a good controls program is a legitimate expectation under the Foreign Corrupt Practices Act. It was an oft used phrase in Compliance around five years go that low risk doesn’t equal no risk.  We’d do well to bear that in mind right now.
  2. Exceptions made during the pandemic. As an example, supply chains were disrupted, your usual suppliers may have run out of stock and you urgently had to source it from elsewhere from previously unused vendors. It may have been necessary to take action such as abbreviating the due diligence process or relaxing other control measures, especially in essential services business lines. Have you gone back to review those transactions where concessions were made to usual processes to see if there are any checks and balances that could have since been completed and ensured all relevant documentation explaining those judgments is readily retrievable and comprehensive?  Tie up any loose ends that may have been left open during emergency circumstances.
  3. Doing things the way we’ve always done them. This isn’t Coronavirus specific but as the pandemic has caused many people to review their life purpose and make big changes, this one is important from an introspection and self-improvement perspective.  Just as we don’t accept “This is the way we’ve always done it” as a compelling argument from the business wanting to continue an imprudent practice, we as Compliance professionals should also be careful of falling into this complacency trap. Companies who have previously won awards or received monitorship certification may be lulled into a false sense of security as time passes. Compliance subject matter is an evolving practice area, as we have seen from the increasing inclusion of topics that previously would have been thrown to HR – #metoo and Social Justice are such topics. It’s therefore important to stay up-to-date on where the profession is headed and keep up with changing standards. What was best practice in 2010 is not going to cut it as a robust Compliance program today. If you’re reading this there’s a good chance that you are someone who likes to keep an eye on developments. If you have a colleague who has never heard of Hui Chen, send them your go-to places for Compliance resources and mailing lists so they can keep up with you.
  4. Lack of Compliance Officer humility.  An unattractive combination of points 1 and 3 is the situation where a Compliance Officer is feeling so darn pleased and proud of their efforts that they believe everything is dandy and there is no need for reinforcement of Compliance messaging. This can look like a Compliance Officer who scoffs at the idea of holding a Corporate Compliance & Ethics Week event because they assert that everyone in their company knows about the Compliance function and believes there is no improper conduct. No matter how many times you share a message, there will be someone who was not listening or does not understand it. I have found that there is no lowest common denominator so test where your most astounding gaps are by issuing culture of integrity surveys that ask about the most basic things you believe most people would know about (e.g. what is the name of the Chief Compliance Officer/your Compliance Officer, do you know where to access Compliance policies, do you know the details of the reporting hotline, do you feel it is safe to speak up in this company etc). There are less avenues for getting across messaging and holding events at the moment so it takes a bit of creativity to establish forums to keep things lines of communication open and interesting at this time. Exchange ideas with other Compliance Officers so that you don’t have to keep reinventing the wheel.