10 Steps to suring up your compliance practices to manage risk and improve compliance in a post-pandemic world.
Written by: Sandeep Seth, Director, Corporate Compliance, Pfizer India
As organizations start bringing their workforce back to the office, many will be deeply focused on “making up” for the downturn in revenue and output. As a result of this recalibration, some may feel pressured to cut corners, which heightens the risk of unethical practices.
The COVID-19 pandemic has driven organizations to alter their business, supply chain and demand models and even adopt new emerging online methods of working. This has changed the risk profile for most businesses. Owing to the changing dynamics, organizations and leaders must be actively involved, understand, identify, and mitigate emerging risks by enhancing their compliance program. This is the true test of compliance and ethical leadership.
Evolving Risks
Businesses have had to reset their priorities. During this period there are high chances of overlooking the various elements of compliance program in the organization in the wake of dealing with emergency and unique situations. Presently, organizations are dealing with various newer risks and challenges including:
- Staff Shortages including compliance teams;
- Easing controls to deal with the COVID-19 situation;
- Dealing with third party with lower control/due diligence to meet changing demand or model;
- Change of culture, working habits;
- Increase in work from home – Challenges of background check verifications;
- Data security and confidentiality due to high reliance on on-line working.
Apart from these operational and program-related challenges, there has been a visibly sharp increase in newer types of unethical practices misusing COVID-related situations. As reported by various reputed regulatory agency in the world there has been a significant number of complaints of such scams, including:
Imposter Scams: This consists of sending fake emails as being from the Government Disease Control Department or Health Organization encouraging the recipient to download malware or provide any sensitive information.
Treatment or testing scam: Scammers trying to sell fake cures or unproven treatments that allegedly prevent, detect, or cure COVID-19. Thus, taking advantage of a vulnerable population.
Relief Payment Scams: Scammers are trying to obtain personal and banking information falsely claiming to be part of the Government Relief Program. Phishing scams: Using hoax emails to target individuals and organizations.
Agencies are continuously providing various tips and alerts to inform individuals and organizations as to how they can guard against such scams. Some agencies issued notices about the measures it would take against these scams and described procedures being instituted to help combat fraud involving the pandemic.
Leaders and compliance officials in every organization must be aware of these risks and make all efforts to implement tips, measures and procedures suggested by various agencies.
Addressing compliance risks …all the time
The pandemic is also an opportunity to evaluate our compliance program’s resilience and ability to deal with evolving and emerging risks in the organization. Compliance programs must be assessed, tested, and enhanced periodically to meet the changing business and risk environment, otherwise it would just be a paper or static compliance program.
The following ten elements pertaining to design, implementation, and practice of a compliance program would be useful to consider for the organization to mitigate emerging risks and strengthen the compliance program:
- Review existing controls and risk assessments: It is advisable to assess and ensure the current compliance controls to adequately manage new risks posed by the pandemic. It is advisable to conduct revised risk assessments and re-evaluate risk rating and mitigation plans. There is a possibility that a few of the newer and emerging risks have moved up in the risk rating.
- Evaluate suspension of compliance exception (if any), which would have been taken during the pandemic emergency. Make a reasonable exception policy to deal with such situations in the future and keep an emphasis on the “zero tolerance“ policy for unethical practices.
- Tone at the Top: The board and management should clearly and frequently re-emphasize the organization’s commitment to ethics and compliance during the crisis. It is advisable that managers at all levels reiterate important compliance policies that need to be adhered to.
- Consider novel approach for innovative and effective compliance training: During this time of crisis, compliance training should use interesting and engaging methods and modes including case study, role play, videos, and others. The overall approach of training and communication should be a positive reiteration enhancing positive energy in these testing times. It should also cover how to deal with specific issues or situations related to the business process during the pandemic.
- Issue regular reminders, alerts, and guidance on the emerging risks and specific COVID-related risks. Companies can consider rolling out an FAQ document to address most common queries related to the business process changes due to COVID-19.
- Review company policies related to work- from-home and associated compliance risks. Assess risks related to data confidentiality and security (e.g., access rights, authentication, communication & storage of confidential information), insider trading, privacy, business continuity and record management. Make sure that the appropriate approval process is in place for all significant decisions despite the remote work environment.
- Conduct periodic testing of critical controls pertaining to high compliance risk areas however testing protocols can be adjusted in line with the COVID-19 situation. Companies considering tools such as online/digital reviews replacing physical verifications must make sure that they engage with reputed and reliable vendors in this situation who can address the risks despite adopting alternative protocols.
- Keep more focus on third parties and vendors to make sure they provide satisfactory services during this crisis period in terms of their commitments to follow policies and mitigate risk without lowering guards. Current working conditions can compromise normal monitoring procedures, which increases the likelihood that employees and third parties could behave in a non-compliant manner.
- Monitor the notices from various regulatory bodies and authorities and appropriately cascade alerts, latest guidance, tips, and emerging corporate fraud risk areas alarmed by them. It is important that each colleague in the organization remains vigilant against any action by fraudsters and other bad actors to take advantage of the pandemic.
- Re-emphasize the organization’s Code of Conduct and values. Reiterate commitment to these values as pandemic-proof and requiring no adjustments. Organizations should be responsive to misconduct and noncompliance in a similar manner, no matter what challenges or crisis they face. Compliance function should remind managers to watch for red flags and to promptly report concerns.
It is true that every organization tends to adopt flexibility and adapts to sudden industry and market movements while changing their strategic vision. However, this should be done carefully, upholding ethical and compliant principles. While we know that business and health risks are of primary concern right now, effective compliance programs continue to be essential to an organization’s success—even more so during and post this pandemic and economic crisis, evaluating, and fine tuning our compliance programs to mitigate these emerging risks is the need of the hour.
About the Expert:
Sandeep Seth leads the Compliance function at Pfizer in India. He is part of the company’s Executive Leadership Team and provides strategic compliance direction to Pfizer India operations. He is responsible for overall compliance strategy, framework and implementation of Compliance programs & initiatives.