Skip to content

Compliance's Role in Crisis Management

By the time you read this post, your company will have been navigating the COVID-19 pandemic for at least a month. The whole enterprise, and you as a compliance officer, will have been trying to find your footing through one crisis meeting after another. So let’s talk about compliance's role in crisis management because compliance teams should play a vital part. That’s particularly true in confronting something like COVID-19—a crisis without a clearly defined end, or any easy-to-follow response plans based upon prior crises.

At best, senior executives have a rough sense of the concerns that coronavirus puts in front of them: employee health, supply chain instability, financial liquidity, facility closures, and so forth. They might even understand the solutions they’ll need to develop: new policies for sick leave, tools to monitor suppliers, and controls on expenditures, to name a few.

Tying issues and solutions together in the right way, to keep the enterprise sustainable amid prolonged uncertainty and volatility—that’s the hard part. It’s also where the capabilities and experience of a strong corporate compliance function can be invaluable. For example, one of the most important resources the C-suite will need during crisis management is accurate, reliable data from the workforce about what’s really happening in the business.

Let’s consider a few areas that compliance's role in crisis management is critical:

Internal Reporting

A strong internal reporting system can provide that intelligence. I wouldn’t be surprised if you’ve seen that pattern emerging already in your reporting system: more questions about sick leave policy, or complaints about insufficient protective equipment on the factory floor, or concerns about how to interact with customers. 

Every organization will need to find its own answers to those issues, but an effective whistleblower hotline is the mechanism by which those issues can be brought to management’s attention. It can receive internal reports, and then analyze and distill all that data into the most urgent priorities management should consider. This is one way a compliance program can support senior leadership during the current crisis and the next one. 

guide to internal reporting and investigations

Risk Assessment

Better risk assessments will be crucial in months following a crisis. COVID-19, for example, has forced companies to discard so many of their standard, well-understood business operations. As companies improvise new methods to keep going during coronavirus, they’ll need to understand the new risks that come along with those substitutes.

For example, work from home policies can reduce employees’ exposure to COVID-19, but they also introduce other risks the company will need to address—everything from data security, to fraudulent transactions, to workplace bullying. Meanwhile, new safety procedures for factory workers can bring new liability questions: Who is responsible if an employee ignores them? What if the procedures don’t work?

Some of those risks might still be regulatory compliance questions. FINRA, for example, has specific rules for how broker-dealer firms should operate during a disaster. Other issues will simply be new operational risks a company would be wise to consider. Regardless, risk assessment capability will be a crucial skill.

Policy Management

This point is related to our internal reporting example mentioned earlier. As your company develops its response plan for COVID-19, it will need to implement those ideas as policy—and to measure how well those new policies actually work.

That’s a policy management challenge. It won’t be easy, because businesses will need to strike the right balance between a coordinated, enterprise-wide response; and flexibility so each operating unit can respond to the conditions and regulations it faces locally. Senior executives on the crisis management committee will need to know what policies are in place across the enterprise, and which ones will or won’t cause additional headaches.

For example, the company might want to implement a requirement to collect health data from employees; where can that be done quickly, and where will the company need to finesse data privacy rules? Or the company might need to change policy based on local public health rules.

These policy needs will change often, sometimes for the whole enterprise and sometimes for only parts of it. Deft management of corporate policies will be invaluable.


Companies are improvising new ways to do business and new ways to govern risk. They’re also doing this with many employees working from home or managers in one location and employees in another. This is a tremendous challenge for employee training.

Most likely, the HR team will take the lead on training needs during this crisis—but compliance can (or must) help in many ways. You’ll need to devise new training materials relevant to whatever new policies the company is deploying and you’ll need to assure those materials get delivered, likely by computer-based learning.

Above All, Leadership Matters

All of the points above are just examples of how a compliance program can help the company with crisis management. That’s not the same as whether the program actually will help—because that depends on the compliance officer directly, and his or her ability to work with the rest of management.

COVID-19 is testing personal leadership skills like never before. Compliance officers will need to identify how their programs could assist HR, legal, security, or business operations; and then make convincing arguments so those other business functions want the help. The compliance community has chatted about that idea for many years: that for true success and to elevate the function, compliance officers should “know the business” as much as they should know compliance; that they should have strong interpersonal skills as much as they should have sharp legal or risk management knowledge.

COVID-19 is putting all those best practices to the test. It won’t necessarily be easy for compliance officers, especially for those at firms that haven’t seen strong ethics and compliance capability as something to be embraced. Still, the fact remains that corporate ethics and compliance programs are about getting large groups of people to behave in certain ways, so the enterprise can achieve certain business objectives, and that is something the compliance team should be equipped to manage.

Not only will companies still need to do that during times of crisis they will also need to do more of that. Leading employees is going to be more challenging, with so much change, volatility, and risk swirling around us. Compliance functions can help with that—and companies will need all the help they can get. At the end of the day, compliance's role in crisis management will take many different forms, but it is undoubtedly an opportunity for you and your team to do what they do best.

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution