Skip to content


Compliance Lessons Learned the Hard Way in 2020

By Matt Kelly (Updated )

Like everyone else these days, I’ve been thinking about compliance lessons that industry leaders can take from the pandemic to carry them into 2021—and, again, like everyone else these days, I barely know where to start.

Should we talk about cybersecurity? If so, we could bounce from ransomware to privacy regulation to employees using confidential company data on personal devices as they work from home, and so much more.

Or should we talk about fraud risk? Then we could consider how to implement new policies and procedures if your company is selling valuable goods like personal protection equipment or toilet paper.

How about policing against workplace bullying that happens via Slack or Skype or Zoom? Or conducting complex investigations from your home office? Can you require employees to get vaccinated? Can they force you to let them work from home forever?

You get the idea: to talk about “pandemic-proofing” your compliance program is nearly folly, because so many questions simply don’t have a clear answer. That insight in and of itself is probably where the biggest lesson of all lies for compliance officers.

Not Pandemic-Proof, but Pandemic-Resilient

Compliance programs need to be more agile as they try to address risks. The pandemic has thrown a host of challenges upon the corporate world, and as we grow more accustomed to the “new normal” of life, that will bring a host more.

No company can inoculate itself against all of those challenges (if you’ll allow the metaphor). The better approach is that the company strengthens its immune response, so it can address each challenge that comes along—and an effective compliance program is crucial to that. 

Why? Because compliance programs assess risk and then guide employees toward certain standards of conduct. That guidance takes the form of policies, procedures, controls, disciplinary actions, training sessions, and the like; but it all still works toward the goal of guiding employees to certain behaviors.

The pandemic has made that exercise more difficult: more risks to evaluate, more complicated solutions to implement. However, it’s still the same exercise that corporations will have to complete. They’ll still need to devise sustainable ways to comply with regulatory challenges, even amid a more volatile, uncertain business climate.

That’s resiliency in the face of the pandemic. Now let’s consider some practical ways to achieve it. Here are 4 ways compliance officers learned lessons the hard way and how you can ensure you are better prepared for the unexpected going into next year.

1. Build Your Risk Assessment Strategically

Businesses can’t respond effectively to a risk until they understand their exposure to that risk. So your risk assessment capability will need to be sharp. What will that require? Several things, including:

  • A strong ability to identify new or changing regulations, especially if your business operates on a global level. Even within the United States, however, you’ll still need to be able to track changes at the state and local levels.
  • Closer collaboration with operating business units, to understand any internal changes to standard procedures that might consequently alter your compliance risk. If employees suddenly start using a new chat application, for example, you need to know that you’ll be aware of that fact, to assess privacy or recordkeeping risks.
  • Versatile testing and monitoring procedures, so you can identify weaknesses in policy, internal control, or training that need remediation.

The better your compliance team and technology are at those three tasks, the more effective your risk assessments will be.

2. Develop and Manage Policies More Deftly

A large part of coping with the pandemic involves adopting new policies, amending old ones, and assuring that all policies are enforced properly across the whole enterprise. So effective development and management of policy are crucial.

For example, companies are likely to allow more employees to return to the office in 2021, and perhaps to undertake other tasks such as traveling for sales meetings or business conferences. Those actions will be fraught with risks from both a compliance and operational perspective. How many accommodations will you give employees to keep working at home? Will you allow employees to take a sales trip? Will you forbid them from attending a conference, even on their own dime?

You’ll need to devise a policy to answer those questions (and so many more). The even greater challenge, however, will be assuring that all managers know their applicable policies, and follow them.

Inconsistent application of policy can invite regulatory enforcement, civil litigation, bad press, lost business, and poor morale. That’s always been true—but again, the dynamic today is that the pandemic makes that threat more true.

3. Embrace Technology and Analytics

If for no other reason, compliance functions need to embrace technology because the pandemic disallows in-person tasks such as leading a training session, conducting an investigation, or having an operations manager walk you through a sensitive business process. You have no choice but to embrace collaboration software, video conferencing, and data analytics.

Then again, that’s not a bad thing. Collaboration tools, for example, allow for a different, but still useful experience—say, conducting a “virtual” walk-through where you can still have eye contact with the executive, share electronic documents quickly, and save precious budget dollars that historically would have gone to travel costs.

Better data analytics, meanwhile, goes hand-in-hand with our earlier points about sharper risk assessments and policy management. You’ll never do those tasks well without a better ability to collect and analyze data across the whole enterprise, to identify any discrepancies between what you want to happen and what actually is happening.

4. Document Everything

This is another point about compliance that always has been true, and the pandemic only makes it more true.

Take, for example, wanting to resolve some issues or investigations differently during the pandemic than you might have done previously. You might implement new controls on a temporary basis to address a heightened risk, after careful assessment of the changed situation.

At some point in the future, you may need to defend those decisions you’ve made today. (Consider, for example, the scrutiny that will come in the early 2020s of all the emergency government funding gushing through the economy today.) If you don’t document those decisions for posterity, posterity may prove to be an unforgiving place. So documentation policies, procedures, and testing will all be more important; and keeping that documentation in one central, secure repository will be, too.

The Takeaway From Compliance Lessons Learned

Coronavirus is not a single event that companies can contain until the threat recedes. It’s a change in our circumstance, with consequences likely to last for many years. Hence your compliance program needs to be resilient in the face of those consequences, rather than a program that defeats the pandemic. No such thing is possible.

That means compliance programs need to adapt: to develop skills better suited to the challenges at hand. That’s what survival is all about—true for animals in the physical world and compliance programs in the corporate one.

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.