Q&A: Ethics and compliance in the remote working era

December 2021  |  SPECIAL REPORT: WHITE-COLLAR CRIME

Financier Worldwide Magazine

December 2021 Issue

FW discusses ethics and compliance in the remote working era with Tamara Quailey-Tulloch at Brown Rudnick LLP, Andrés Felipe Sáenz at Cleary Gottlieb Steen & Hamilton LLP, Matthew Nunan at Gibson, Dunn & Crutcher UK LLP and Martin Bischof at Sandoz.

FW: Reflecting on the last 18 months or so, could you provide an overview of remote working trends in the wake of the coronavirus (COVID-19) pandemic? How have companies responded?

Quailey-Tulloch: One trend that springs to mind is undertaking customer due diligence, including identifying and verifying customers, supervision and cyber security. Companies have had no choice but to respond. I think it has definitely raised issues around culture and what type of company you want to be for the future. When the coronavirus (COVID-19) pandemic first begun, it was the blind leading the blind, but now companies have got into the swing of things and need to consider what valuable trends they want to keep from COVID-19, such as flexible working or Zoom meetings.

Nunan: After the initial disaster recovery and business continuity response which saw firms put into operation their emergency plans, most firms quickly adapted to working from home. In the first few months the focus of management switched between putting in place compliance requirements, concern for staff welfare and then concerns about productivity. Gradually, however, the focus has shifted to considering the lessons learned – do staff need to be in the office at all times? Do firms need the same amount of real estate? What are the long-term intangible costs and benefits of remote working and how should these be balanced against a growing expectation from staff that they will not be expected to be in the office every day?

Bischof: When the pandemic started, many companies needed to learn how to run their business from home. In this context, they had to respect specific country laws and regulations and the health and security of their employees. For those in manufacturing, the situation was different, as many tasks could not be performed remotely. Many companies provided support programmes for employees, to help them cope with mental health challenges, to balance family and work, to utilise new technology and how to lead teams remotely. Furthermore, relevant human resource policies have been adapted to reflect the new reality, empowering employees to choose what is best from them and the business. Now, 18 months into the pandemic, we see that the working world will change forever and we are likely to enter a hybrid working set up for office-based employees. In addition, the impact of the pandemic for many local communities was devastating and a number of companies have provided support through donation programmes.

Sáenz: The past 18 months have forced companies to face a crisis situation that is unprecedented in how long it has lasted and how truly universal its impact has been. The remote working environment is here to stay for the near term and likely to continue in some hybrid form for some time. The relative ease of modern companies shifting to a remote working environment is indicative of the existing reliance on technology to perform our day-to-day activities. It has also highlighted the need to prioritise certain compliance measures: reinforced information security systems, mechanisms for sharing information, pooled and easily accessible record keeping and unified structures for decision making, especially by senior management. The companies that have been most successful at adapting are those that already had the structural framework for reporting and decentralised communication, decision-making procedures and advanced IT integration.

Organisations will see the value of risk management as it connects with strategy and supports operational execution.
— Martin Bischof

FW: What impact can remote working have on a company’s ethics and compliance (E&C) posture? To what extent does moving to or expanding a remote workforce increase risk in this area, such that suspicious activities might slip through the compliance net?

Nunan: Eighteen months after the start of remote working it will be hard for firms to justify still using temporary methods or not fully complying with requirements. In the first few weeks or perhaps months, there was a regulatory recognition and tolerance for teething issues around core compliance functions like oversight and monitoring. However, now firms are expected to have made the necessary adjustments and should be demanding the same level of compliant behaviour from staff as they would expect in the office. Firms should also have in place systems and controls to ensure that is the case and take action where it is not. Ethical changes are slightly different – a firm’s core values should not change regardless of where its staff sit, but there can be real challenges in building and maintaining that single view of culture when staff have very different and limited interaction.

Bischof: Many companies have managed to strengthen their ethics and compliance (E&C) agenda over the last 18 months. Some have launched a new code of ethics to drive the dialogue across their entire organisation, highlighting the notion of ‘doing what is right’. Other ethics, risk & compliance (ERC) topics, such as emergency and business continuity management, brought ERC teams to the centre of operations more than ever. And much of this activity was managed remotely, which, 18 months ago, I would not have thought possible. Also, during the last 18 months, many of us could not travel to see colleagues face-to-face, leading to organisations asking themselves whether they had enough oversight on critical risk areas. The key question was what assurance activities could be performed remotely and what needed to happen on the ground. For example, many companies introduced a system of remote ‘monitoring’, which data analytics and technology have helped facilitate. That said, I still believe in the power of face-to-face meetings, and I get many insights when I can see and feel teams operating or see field-based employees interacting with customers.

Sáenz: Whereas certain ‘crisis management’ structures are mostly now in place to address the once ‘new’ disruptions and challenges in early 2020, general business and E&C risks still persist, such as compromised supply chain timelines, backlogs and overall adjustments to how we communicate, including about E&C. Moving or expanding to a remote workforce requires adapting existing controls and reassessing what ‘triggers’ existing forms of suspicious activity detection. For example, if supply timelines and payment controls that would normally detect suspicious activities are not properly reformatted, E&C teams may be overwhelmed by false triggers of red flags, making it more difficult and less efficient to focus on actual risks. New detection mechanisms may need to be put in place to supplement or replace traditional compliance mechanisms, including increased audits, requests for review of third-party contingency plans or enhanced onboarding diligence to account for new suppliers.

Quailey-Tulloch: Remote working can completely reshape a company’s E&C culture. Compliance professionals work hard to make individuals understand the importance of what they do from an E&C perspective, which was easy in face-to-face training. Now that we have flexible working arrangements and that lack of ‘stand by my desk for a chat’ culture, I worry that E&C will not be at the forefront of individuals’ minds. It is inevitable that it will result in an increase of risk. In the legal industry there are already concerns around supervision and how juniors are being supervised. How can you stress the importance of E&C behind a computer screen? You can provide as much guidance as you can, but you cannot physically check on individuals like you used to.

Compromising E&C principles can pay a short-term dividend. Business can be won, or profits made by being more inclined to cut corners or operate closer to margins than others. This can spectacularly backfire.
— Matthew Nunan

FW: How important is it to conduct regular E&C-related risk assessments across business operations? How can this be achieved despite the practical complications of remote working?

Bischof: Conducting risk assessments across the entire value chain is essential to proactively identify threats to the business, which we want to reduce, and also opportunities, which we want to peruse. Alongside risk identifications, mitigation actions need be agreed to keep the business on course. In this regard, a comprehensive enterprise risk management programme can provide clear guidance alongside training and support. Organisations will see the value of risk management as it connects with strategy and supports operational execution.

Quailey-Tulloch: The ability to conduct regular E&C-related risk assessments depends on how you structure the risk assessment. If it is merely to tick a box, then this is not effective. If it will actually shape business operations or streamline current policies, controls and procedures, then they are great. It can be achieved if you have top level management that buy in to the validity and importance of the risk assessments. Once senior management are engaged, then they can request managers to relay the importance of the risk assessments throughout the entire business.

Sáenz: Regular and periodic risk assessments are crucial in any environment. Ideally, companies design their monitoring and information-gathering, audit processes and training to be built off each other: a risk assessment identifies gaps, controls are established to address those gaps, these controls are tested, monitored and audited and training and new design solutions are put in place to mitigate risk. Keeping that cycle up to date not only allows for a truer picture of the business and compliance environment, it also enables that feedback loop to reinforce itself. Where that cycle is perhaps complicated by remote working – for example, if traditional ways of information gathering and monitoring of controls are compromised – E&C professionals should, to the best of their ability, map alternative paths to get to the same or similar outcomes. They should ensure any changes to policies and procedures are appropriately implemented throughout the enterprise, including by reminding employees that the policies still apply even if in a modified way.

Nunan: Risk assessments are essential and should be both regularly scheduled and event driven. The pandemic and its impact on working conditions is a classic example of the kind of step change that should lead to an assessment. For financial firms, there will have been an ongoing assessment of the pandemic’s impact on markets and future revenue assumptions. The same should be true for assessing the impact on the likelihood of things going wrong. This would include inadvertent failure to deliver expected outcomes, individual misconduct or even changes in client demand which might drive changes in valuation assessments. All of these should be considered, together with an assessment of the strength of controls to prevent and detect them.

FW: Could you outline the benefits of providing consistent E&C training to staff? Is transparent and credible communication needed to reinforce key company values?

Sáenz: Although a remote working environment has meant adjustments in how companies conduct their training, they have proven themselves to be adaptable. Many organisations have already moved to an online model for at least some part of their E&C training and for the operation of their whistleblower channels. Video training, online assessments and other technological solutions can be effective tools in ensuring consistent E&C training and assessment of employee familiarity with key concepts, corporate policies and procedures. This type of training can be easily adjusted to a remote working environment. Of course, in such an environment, the type of ‘in-class’ interactions from live training is not the same. For this reason, it is important and a best practice for companies to complement their online presence with virtual meetings, town halls and interactive programmes, including tailored case studies, to ensure that employees are internalising and engaging with E&C issues and corporate values.

Nunan: Credible communications are always important – staff can very quickly tell when a firm says one thing but means another. Ethical messages should also be consistent and should include principles that staff can apply whatever the working conditions. Training in the principles should be realistic, and sensible – trying to talk to staff about culture while the roof is collapsing is unlikely to get their attention. However, giving them the tools to make the judgements the firm would want them to make, and demonstrating the long-term benefits to the firm, its reputation and its staff of doing so, is essential. Where staff are removed from nearby compliance or management and have to make decisions without the usual levels of support, this is more important than ever.

Quailey-Tulloch: Individuals are aware of their legal and regulatory obligations, so that if there is a mistake, it can be rectified as a matter of urgency. It is important that people are reminded of this, especially when billing targets and demanding clients are a distraction.

Bischof: With training, we can teach employees what is expected from an E&C point of view. Training equips people ‘to do what is right’, such as when it comes to disclosing conflicts of interest, to understand what is important when we deal with third parties and how we want to engage with customers and other external stakeholders. Transparent and credible communication is important to reinforce key company values. However, this is not enough. Companies need to make sure that people live and breathe the values. Knowing is not enough; doing provides proof to the organisation that living values drives a visible change in behaviour. Any bad examples must not be tolerated, and great role models will set the tone for all others to change.

Companies that do not adjust, or have no mechanism for adjustment, run the risk of having an E&C programme that is stagnant and out of touch with current risks.
— Andrés Felipe Sáenz

FW: As remote working expands, how important is it for E&C to be integrated with business and strategic objectives? What are the potential consequences for companies that compromise on their E&C principles?

Nunan: Compromising E&C principles can pay a short-term dividend. Business can be won, or profits made by being more inclined to cut corners or operate closer to margins than others. This can spectacularly backfire, however. The global regulatory push to align individual incentives with the long-term success of a firm is intended to ensure that good behaviour and well-run firms are more successful and deliver better rewards to customers, staff and shareholders. Remote working can remove some of the guide rails – the compliance officer on the next desk, or the manager overhearing a conversation with a client or competitor, for example. Where an employee is handed trading power and then isolated from normal support and control frameworks, it is vital that they feel their success will be brought about through following firm procedures. The message that the firm and individuals win together is key, and staff have to believe it.

Quailey-Tulloch: E&C is a necessity. It goes further than legal and regulatory obligations but also mental health and health and safety. With or without remote working, businesses should have E&C considerations as a priority. The moment businesses lose sight of individuals being human you will likely see a mass exodus of staff. The consequences are obvious: breaches of regulatory and legal obligations which could lead to fines, imprisonment or being struck off from the profession.

Bischof: ERC must be integrated within the business and connected to strategy to understand where the risks and opportunities are emerging. Only then can teams act proactively to support the business when commercial activities are created and build compliance into the activity and processes from the start, rather than identifying issues when problems have already occurred. Advising the organisation should be at the centre of ERC activities and to support value creation. To create sustainable business models, ethical and compliant business conduct is essential to build trust with the external world. Companies not living up to ethical business conduct might gain short term business success, but in the long term every misconduct will come to the surface, as scrutiny from regulators is increasing and expectations from society are at the highest level we have seen in history. Compromises in ethical business conduct will destroy trust, and in turn the ability to run a successful business.

Sáenz: As with any new risk, the company’s heat map should be revisited to determine whether it accounts for COVID-19 specific challenges, such as changes in law and regulations and potentially decentralised decision making and reporting structures. A good practice is to designate an interdisciplinary group of professionals, including E&C employees, business line and, where possible, audit personnel to align strategic and E&C objectives. Committees or working groups like these have the benefit of caucusing a company’s decision makers and focusing them on the common issue of remote-working challenges. It can also be added as an agenda item for already existing working groups to consider. Above all, the goal of enhancing such structures is to make sure that there is a cross-company understanding of evolving changes to the E&C environment. Companies that do not adjust, or have no mechanism for adjustment, run the risk of having an E&C programme that is stagnant and out of touch with current risks.

FW: What essential advice would you offer to E&C personnel on ensuring their companies thrive in an era of remote working while continuing to meet their regulatory obligations?

Sáenz: Maintaining a unified corporate culture for a remote workforce requires E&C professionals to think creatively about how best to communicate with employees and how to keep their finger on the pulse of compliance developments. E&C personnel should be especially attuned to the fact that the information-gathering mechanisms upon which they may have relied in the past may be less available. With this in mind, it is important to reinforce the frequency of outreach to remind employees that senior management and E&C professionals are available and a resource to them. Companies should also embrace the ‘compliance gains’ that can come from remote work: employees from multiple jurisdictions are more likely to participate in meetings and trainings together, it provides opportunities for senior management to reach out to and connect with employees directly, and it creates more of an electronic trail and therefore fewer opportunities for misconduct.

Bischof: The world is changing fast, and many businesses and go-to-market models are changing. The pandemic was a catalyst and change will continue. We now know that we will be engaging with the external world in a much more virtual way than before. This brings great opportunities, but also bears risks we might not yet know or understand. As ERC professionals, we need to understand these tectonic shifts, with many of our teams and colleagues working remotely. It is important to understand these trends and build the required knowledge. I think we need more shared learning to use our ‘swarm intelligence’ in a much better way by building and fostering internal networks of knowledge and expertise. This requires each team member to make extra efforts to reach out to their business partners to stay connected, with the intention to contribute and make the business more valuable and resilient from a compliance point of view. It is for everyone to be alert and sensitive to inclusive leadership, to stay close to each other, to listen and support teams to embrace the new world, and to take the necessary steps to encourage transparency and collaboration.

Quailey-Tulloch: E&C personnel need to remember to be creative so that people are engaged with meeting their regulatory obligations. I always think providing individuals with facts, news articles or results from audits are engaging. ‘Compliance reminders’ can be circulated to remind individuals of their legal and regulatory requirements, together with internal polices, controls and procedures.

Nunan: Processes have to be adapted to ensure the control framework is still in place. This may take investment, but the experience of the last 18 months suggests there may be a general move toward an increase in remote working, so the investment will be worth it. All three lines should consider what is at risk of falling through the cracks in remote working. That could be lack of collaboration leading to a reduction in innovation or a lack of personal interaction which leads to deteriorating mental health. All teams, individuals and management should pause every now and again to consider the benefits and costs of the new way of doing things. This should be an ongoing assessment, not a one-off effort.

E&C personnel need to remember to be creative so that people are engaged with meeting their regulatory obligations.
— Tamara Quailey-Tulloch

FW: Going forward, are E&C considerations set to climb even further up the corporate agenda? How important will it be for companies to frequently review and improve the E&C profile of their remote workforce in the months and years ahead?

Bischof: Companies with strong, well-designed and executed ERC programmes, as well as a supporting overall culture, are more likely to be successful compared to companies with poor understanding and culture. ERC increasingly has a seat at the executive table and programmes are being strengthened every day. My hypothesis is that companies with lower impact ERC programmes will step-up over time, as they will see the benefit for their business. So, ERC topics will become more important on many corporate agendas. Whether we go back to the previous way of working or whether we adapt to the ‘new normal’ and continue to work remotely, we need to find ways to embed ERC in all aspects of the value chain, as well as in the minds and actions of the people responsible and accountable for the businesses they run.

Quailey-Tulloch: I cannot envisage E&C considerations climbing further up the agenda, given that corporates have so many other pressing demands. On the contrary, I think it should stay where it is as an important and frequent agenda item. E&C policies should at least be reviewed annually, and where there is any change to legal or regulatory requirements, they should be considered in the corporate agenda immediately. It is so easy in such an evolving world to lose sight of the importance of E&C, but my constant reminder is that most of my colleagues are too pretty to be in prison and I will try my hardest to prevent that.

Nunan: Compliance has always been, or should always have been, at the top of the corporate agenda. Ethics has not always been spoken of in the same breath, but since the crisis firms have recognised that the best way to ensure compliance is to ensure individuals align their actions with the firm’s ethos and culture. For the best firms, however, there is a growing distance between ethics and compliance. Compliance suggests conforming to the rules – ethics suggests a vision or culture that is important to a firm regardless of the minimum standard set out in rules. For example, how should a firm balance its desire to deliver shareholder value with its environmental impact? These types of questions should be part of a firm’s ethical considerations but go far beyond compliance with regulation. Given the everchanging world in which we live, I would suggest these questions should form an active part of a firm’s considerations.

Sáenz: Regulators around the world have been clear that monitoring, record keeping and adaptability are among the key factors they are interested in when assessing an E&C programme: a company’s compliance framework should operate as a ‘living’ aspect of the business, just like any other. This pre-dates the COVID-19 pandemic. Information security maintenance across geographies, systems for decentralised decision making, proper ‘tone at the top’ communication, and health and safety procedures have climbed to the top of the corporate agenda. This does not mean that existing E&C risks tailored to the company’s risk profile have been de-prioritised. Rather, regulators will take notice of failures to reassess, re-evaluate and adapt risk mitigating measures, especially if unaligned with market best practices. An outdated or stale programme is likely to be ineffective in light of constantly evolving risks. In sum, ensuring a robust risk assessment process is as key a goal as addressing existing E&C business risks.

 

Tamara Quailey-Tulloch is the sole compliance manager at Brown Rudnick LLP, an international tax firm with offices in the UK, Paris and throughout the US. She has spent a number of years working in law firms in compliance roles. She can be contacted on +44 (0)20 7851 6013 or by email: tquailey-tulloch@brownrudnick.com.

Andrés Felipe Sáenz is an associate at Cleary Gottlieb Steen & Hamilton LLP who works on litigation and investigations. He frequently advises corporate clients on the development of compliance and integrity programmes, and counsels clients in advance of strategic transactions. He can be contacted on +1 (212) 225 2804 or by email: asaenz@cgsh.com.

Matthew Nunan is an English qualified barrister and partner based in Gibson, Dunn & Crutcher’s London office and is a member of the firm’s dispute resolution group. Mr Nunan specialises in financial services regulation and enforcement, investigations and white-collar defence. Prior to joining Gibson Dunn, he was head of conduct risk for Europe, the Middle East and Africa at Morgan Stanley. He can be contacted on +44 (0)20 7071 4201 or by email: mnunan@gibsondunn.com.

Martin Bischof brings 30 years of experience in the healthcare environment. Currently heading the global ethics, risk and compliance function at Sandoz, his international experience gives him a broad perspective into how businesses have evolved over time and will develop in the future. Over his career he has held senior finance and commercial positions with the originator business of GlaxoSmithKline, and in the consumer businesses of Novartis and Sandoz. He can be contacted on +49 (0)1726 528 322 or by email: martin.bischof@sandoz.com.

© Financier Worldwide

THE PANELLISTS

 

Tamara Quailey-Tulloch

Brown Rudnick LLP

 

Andrés Felipe Sáenz

Cleary Gottlieb Steen & Hamilton LLP

 

Matthew Nunan

Gibson, Dunn & Crutcher UK LLP

 

Martin Bischof

Sandoz

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.