Get Your Compliance Program Ready for 2021

Matt Kelly

The past year proved to be an enormously challenging year for corporate compliance officers, and most of us are happy to see it pass into history. Yet, next year isn’t likely to be any less demanding. On the contrary, 2021 will be a blend of resolving prior challenges from 2020 and tackling new challenges that have been building for years. Now it’s up to you: how will you get your compliance program ready for 2021?

Let’s take a look at five significant trends that will impact the compliance space over the next year.

Policies, Procedures, and Public Health Issues

The world will start vaccinating itself against COVID-19 next year and returning to pre-pandemic life. While that’s excellent news, it also poses tricky issues about workplace policy, internal reporting, and training for compliance programs. 

For example, businesses next year will be faced with questions such as:

  • Can we require all employees to get vaccinated if they want to return to the office? (In the United States, yes you can.) Where we can require vaccination, should we? 
  • If we don’t require vaccinations, should we allow employees to keep working remotely if they fear contracting covid from others? 
  • How do we train managers to understand and follow corporate policy about returning to work—especially if local laws mean some locations behave one way, and some another way? 
  • How do we handle complaints about managers or coworkers supposedly violating the policy on vaccination, or working from home, or ignoring mask rules in the office? 

You get the picture: the arrival of coronavirus vaccines will lead to a surge of new policy questions, all of them freighted with difficult questions about labor law, corporate ethics, and workplace fairness. 

Your compliance program will need to anticipate those issues. For example, you’ll need to track public health regulations across multiple countries, states, and municipalities so you can revise corporate policies to match compliance obligations. You’ll need to train managers on how to implement those policies. You’ll need investigation protocols for the inevitable allegations that someone is or isn’t vaccinated, or managers are or aren’t treating workers according to policy and local law. 

2020 was a crash-course in the compliance issues that can arise from public health crises. 2021 will now be the advanced course in versatile policy management, training, and internal reporting.

Aggressive Enforcement From New Administration

The Biden Administration will bring a more ambitious agenda for regulatory enforcement—and honestly, enforcement during the Trump Administration was never as relaxed as expected anyway. Regardless, enforcement against corporate misconduct is going to increase. 

We can deduce some enforcement priorities right away, either because the Biden campaign has stressed them (more OSHA enforcement of workplace safety rules, especially relating to pandemic safety), or because they were priorities begun under the Trump Administration that will endure next year (more enforcement of PPP loan fraud). Vigorous enforcement of the Foreign Corrupt Practices Act (FCPA) will continue as usual. Antitrust enforcement will increase somehow, although exactly how isn’t clear yet. 

Compliance officers, however, can bank on one point: that your ability to demonstrate the effectiveness of your compliance program will be as relevant as ever. This means you will need an effective compliance program, as defined by the U.S. Sentencing Guidelines and related guidance from the Justice Department. If enforcement risk rises—and rest assured, it will—then an effective compliance program becomes more important, because that’s what helps the company to avoid onerous penalties and compliance monitors. 

In that case, remember the major themes of the most recent Justice Department guidance on compliance programs, from June 2020. First, compliance programs should evolve with the risks that the business faces, including “lessons learned” from similar businesses that go through enforcement actions. Second, compliance departments should have access to relevant reporting data to help the program keep pace with those risks. 

Does your program meet those expectations now? Your ability to meet them will become more important in 2021 and beyond.

Brace for Climate Change Disclosures

The Biden Administration has also made clear that it wants to grapple with climate change. As have deep-pocketed investors such as pension funds and other institutional investors. So have regulators in Europe. So have consumers. 

Compliance and risk officers should start thinking now about how their organizations might improve their tracking and disclosure of data related to climate change and related sustainability issues. One way or another, a more disciplined approach to such disclosure is coming. 

For example, either the Biden Administration or other governments could require companies to use a specific framework for climate change risks, controls, and disclosure. The Sustainability Accounting Standards Board is one example, but numerous potential frameworks exist. Next would come the work of performing a gap analysis between that framework and your business operations, remediating weaknesses, reporting data to regulators or investors, and so forth. 

This isn’t a new concept. Businesses use the COSO framework for internal control to satisfy Sarbanes-Oxley compliance and rely on extensive commentary from the Justice Department as a pseudo-framework to satisfy FCPA compliance. Climate change will just be a new iteration of that—one where the compliance officer’s experience in risk assessment and mitigation will be valuable.

More Third-Party Governance

Another significant compliance challenge is driven by simple business need: the push toward more reliance on third parties, for everything from technology and business services to critical supplies. 

Compliance officers already know the anti-corruption risks around using third parties; they’ve been causing us FCPA trouble for years, and compliance programs have built sophisticated techniques to assess those third-party compliance risks. But as companies use third parties for more tasks, that introduces more types of risk—cybersecurity, supply chain, and human trafficking, to name only a few. 

As those third-party risks expand, the skillful management of third-party risk will become more important. Enter the compliance program, a natural candidate to address that challenge.

For example, third-party risk assessments will need to be more comprehensive. Policies about when and how to use third parties will need to be more thoughtful. Training, monitoring, and internal reporting about third-party risk will all need to evolve too. 

Better technology to manage all that oversight will be one part of the solution. Another part will be for executive management to include the chief compliance officer in business strategy decisions, so the CCO can raise compliance concerns before a new strategy is unveiled. Those points have been true for several years now, but in 2021 and the decade to come, they’ll become irrefutable elements for business success.

We could probably list many more issues that compliance officers should keep on their radar for 2021, but we’re out of room today. Here’s hoping that we can all meet in person by the end of next year.