Pressure testing a compliance programme

October 2020  |  FEATURE  |  RISK MANAGEMENT

Financier Worldwide Magazine

October 2020 Issue

In recent years, companies have invested significant resources into their compliance programmes in response to regulatory developments, high-profile investigations and evolving stakeholder expectations. Authorities in many jurisdictions have increased their enforcement activity against corporate misconduct, which in some cases has resulted in large monetary penalties, as well as individual executive prosecutions.

Perhaps the best way for a company to avoid penalties is to demonstrate a genuine commitment to ethics and compliance. However, it can be a complex field to master. A strong, well-designed compliance programme has the ability to address and mitigate issues before the company becomes a target for regulators. It should help prevent companies and their employees from committing offences, but also allow them to take quick remedial action if bad behaviour does occur.

“The purpose of a compliance programme is to prevent and detect legal and ethical violations within the organisation and to create a culture of integrity so employees and third parties feel comfortable raising concerns and asking questions,” explains Colin R. Jennings, a partner at Squire Patton Boggs. “All stakeholders must understand that the company expects them to do the right thing every time.

“The compliance programme is a fundamental tool to avoid or mitigate enforcement actions and to address and mitigate business risks that may lead to significant financial losses or business disruption that may negatively impact on the organisation’s reputation. At its heart, a compliance programme is a risk management and reputation protection programme,” he adds.

Every compliance programme is multifaceted, but ethical aspirations should feature prominently. Senior management also need to support and engage with the company’s compliance efforts, setting a clear example to employees throughout the organisation.

Programme development and improvement

Designing and implementing a compliance programme is a continuous, complicated process. Countless challenges may arise when developing policies, procedures and training, as well as establishing measures for ongoing testing, review and enforcement.

“Compliance programmes must evolve to remain effective,” says Craig Foster, counsel at Thompson Hine. “Laws, regulations, technology, business lines, industry practices and customer expectations constantly change, and firms must continue to evaluate the effectiveness of their compliance programmes in light of those changes. What was sufficient a few years ago may not suffice today.”

The structure and scope of the compliance programme should not remain static. It is an ongoing, evolving framework, which reinforces the need for regular testing.

Failure to pressure test a compliance programme can lead to serious financial and reputational damage for the company. Without testing or monitoring, weaknesses in a programme’s design or rollout may not be identified and remediated until it is too late. Regulators take a dim view of lax controls when it is apparent that problems could have been avoided.

So, how can companies ensure they are adequately scrutinising their compliance programmes?

For a start, the chief compliance officer (CCO) should be central to the process. The CCO has day-to-day responsibility for overseeing and managing compliance risks. They are at the spearhead of designing and testing the programme, ensuring appropriate controls are implemented, monitored and audited on a regular basis.

CCOs should also set out the company’s expectations for the compliance programme when designing it. Such policies are usually embedded in a code of conduct or code of ethics that is broadly applicable to all individuals who are employed by, interact with or serve the organisation.

However, the structure and scope of the compliance programme should not remain static. It is an ongoing, evolving framework, which reinforces the need for regular testing.

“A viable compliance programme needs to include mechanisms to ensure that the policies and procedures in place are being executed as adopted and sufficiently addressing the risks facing the business,” says Jennifer Kies Mammen, counsel at Bryan Cave Leighton Paisner. “To the extent that risks vary over time, the compliance function must be regularly evaluated and updated to ensure that it continues to sufficiently address relevant risks. Internal monitoring and auditing are key to identifying issues early to avoid systemic shortfalls.

“Companies should stay current with findings from enforcement agencies and courts and use that information in calculating their risk profile, but they should not rely on external ‘pressure testing’ to identify any compliance gaps,” she continues. “Identifying shortfalls internally allows companies to strengthen their programmes without the risk from outside enforcement agencies.”

Guidance from authorities around the world has emphasised that a regular review of existing controls is critical to identifying new risks and measuring the effectiveness of a company’s compliance programme. “The guidance underscores the importance of leveraging technology and compliance data analytics to better understand where existing or developing risks to your business exist within and outside your organisation,” says Lisa Vicens, a partner at Cleary Gottlieb Steen & Hamilton.

“These tools can also lead to better compliance design, as the data gathered allows companies to be targeted in their allocation of resources and to draw lessons as to what has worked and not worked in the past,” she continues. “In addition, more companies are expected to be agile and prepared to rapidly enhance their programmes to better account for the risks presented by internal assessments, new enforcement actions and recent regulatory or legal developments.”

Companies are also urged to expand the scope of their compliance considerations beyond their own organisation, to also cover their third party business partners. To this end, companies should verify that third parties with whom they do business also carry out the same rigorous compliance testing as the company itself. The process of obtaining such confirmation has, however, become more difficult since the outbreak of COVID-19 and subsequent social distancing guidelines.

“When it comes to third-party relationships, while the pandemic provides some significant challenges, such as the inability to conduct on-site visits, that does not mean all the rules get thrown out the window,” warns Adam Turteltaub, chief engagement and strategy officer at the Society of Corporate Compliance and Ethics & Health Care Compliance Association. “Organisations need to continue to do all that they can, document what they have done and document what they could not do, why they could not do it, and what other steps they took to ensure that their third parties operated with integrity.”

Pressure testing under COVID-19 conditions

COVID-19 has created significant risks and logistical challenges for companies to overcome. In terms of pressure testing compliance programmes, companies need to look internally and evaluate the extent to which their existing compliance programme continues to address known risks.

“This could include reviewing whether existing monitoring or auditing is sufficient given the changing conditions, whether there are additional electronic or digital measures that could be put in place to meet current risks, and whether those tasked with compliance responsibilities have the tools to perform in the current environment,” suggests Ms Mammen. “To the extent that companies make any changes to their compliance programmes to address current conditions, they ought to document those changes and the rationale that led to those changes.”

As companies contend with a host of new challenges in the wake of COVID-19 – from supply chain disruption, to cash flow uncertainty, to new health, safety and environmental regulations – in many cases their compliance programmes have been forced to address these challenges remotely, as a result of work from home or shelter in place orders. And some recent changes may be irreversible.

“What was believed at first to be a short-term crisis may now have a permanent impact on how businesses are run and compliance functions are managed,” points out Ms Vicens. “In particular, the crisis has underscored the importance of continuous risk assessment and the use of technology to effectively monitor and enforce controls.

“A strong culture of communication and tone at the top is critical to rapidly adjust to an ever-changing scenario, both to disseminate information from management and to react to new issues in a timely manner,” she continues. “One effective means of doing so is to create a working party comprised of key compliance personnel to meet regularly – and remotely – to determine what adjustments are needed to respond to the crisis.”

Advancing technologies that help companies to digitalise and automate compliance functions mean that problems can be detected and resolved more quickly and easily. But there can be downsides too.

“Organisations must ensure clear understanding of the risks associated with new areas of technology, such as artificial intelligence (AI), big data, blockchain, internet of things (IoT), connectivity of devices, cross-device tracking and biometric tracking,” says Mr Jennings. “There are great benefits to leveraging tools such as AI-based software to conduct trend analysis to expand on the capacity and effectiveness of compliance monitoring.

“Of course, there are challenges related to digital transformation, including privacy implications and concerns with protecting confidential information,” he continues. “These are complex and rapidly evolving issues, and it is important for companies to understand the appropriate uses of data within each of the jurisdictions where they operate. Data is a significant tool that has and will continue to rapidly change how compliance programmes are designed, implemented and monitored.”

Alongside compliance programmes, companies should also consider strengthening their business continuity plans (BCPs), as the COVID-19 crisis has sharpened the focus on this area of risk management. “BCPs allow firms to fulfil their duties to customers and meet their regulatory obligations in the event of an emergency, such as a fire, natural disaster, pandemic, or any other event that may disable the firm,” says Mr Foster. “The COVID-19 pandemic has been a live test of many BCPs, as firms have been forced to quickly figure out how to continue operations outside their offices.

“Despite the stress, the pandemic has provided an opportunity for organisations to evaluate the effectiveness of their BCPs in real time and detect actual divergences from the written procedures,” he continues. “Firms should use this time to review how well their BCP is operating and make any necessary adjustments now, as it is a good bet that BCPs will be scrutinised by regulators and others once the pandemic ends.”

Future of compliance testing

Compliance requirements can change with the prevailing winds of the day. Following the financial crisis, increased regulatory fines and sanctions, new conduct rules and heightened expectations demanded a rethink of compliance frameworks. In the coming years, compliance will continue to be shaped by global events, not least the COVID-19 pandemic.

Compliance teams must continually evolve to identify, assess and mitigate material risks, and test the adequacy of their response. Technology can play an important role in this process, but it is not a silver bullet. “Technology will not be able to solve every problem because compliance is about human behaviour,” notes Mr Turteltaub. “Technology can tell you how many calls were made into the helpline, but it cannot tell you why people did not call when they saw something wrong. And it cannot help you pick up all the subtle clues as to what is right and wrong in the corporate culture. Compliance needs to embrace digital transformation, but it cannot reject human contact either.”

The COVID-19 crisis has changed the paradigm. Compliance professionals will need to be creative as they adapt to a new frontier.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.