The COVID-19 pandemic is impacting every type of organization, from large, multinational corporations to small nonprofits. But just because the old ways of doing business have changed, regulatory compliance remains a critical business function. While managing compliance in this time of telework, limited travel and budget pressure presents certain challenges, now is not the time to ignore compliance obligations or best practices. This alert suggests some ways in which compliance professionals can continue to accomplish their mission while adapting to our current reality.
1. Re-Read the DOJ Guidance on Corporate Compliance
Fewer meetings and less travel means, at least in theory, more time to step back and think about the big picture question: what should an effective compliance program include? While this macro question suggests many different answers, depending on the size and type of organization, the obvious part of any answer is: an effective compliance program should reflect the principles set forth in the U.S. Department of Justice’s (DOJ) guidance on the subject. DOJ’s “Evaluation of Corporate Compliance Programs,” last updated in April of 2019, is structured around three “fundamental questions”: (1) Is the corporation’s compliance program well designed?; (2) Is the program being applied earnestly and in good faith?; and (3) Does the compliance program work in practice? Beyond these three key questions, the DOJ guidance focuses on the importance of several of the attributes of any effective compliance program, including policies and procedures, training, reporting mechanisms and investigations, third-party due diligence, tone at the top, compliance independence and resources, incentives and disciplinary measures, and periodic testing and review. Compliance officers should consider “dusting off” their electronic copy of the DOJ guidance and re-reviewing it with an eye toward ensuring that their own program reflects DOJ’s views on what DOJ prosecutors should consider when evaluating a company’s potential liability.
2. Re-Evaluate Your Compliance Training Program
DOJ’s guidance makes clear that it considers training and communications to be a “hallmark” of a well-designed compliance program. In particular, any effective program must focus on training and communications that are risk-based, content-appropriate, reasonably frequent, appropriately targeted and well-documented. Training does not have to be in-person to be effective, especially given our current reality, but it should, to the extent possible, be interactive. The latest virtual meeting technology is a great way to present “live” instruction without requiring attendees to be present with the instructor. Training should not be “cookie-cutter” or “one-size-fits-all.” Instead, different training rubrics should be specifically designed for different groups—one for the board of directors, another for managers, yet another for “high-risk” employees. Consider periodic refreshers of even tried-and-true curricula to include new relevant hypotheticals and real-life case examples. Compliance officers may consider designing a training program for third parties. Recent history tells us that most Foreign Corrupt Practices Act (FCPA) issues are caused by third-party agent activities. For some companies, requiring key third-party agents to participate in corporate training can be an effective way to enhance compliance. The bottom line for compliance training is that it has to be adequately designed and disseminated to those most likely to encounter opportunities to deviate from compliant behavior.
3. Use Technology as a Compliance Force Multiplier
As noted above, just because in-person meetings are not a thing right now does not mean that companies get to take a break from compliance. Bread-and-butter compliance activity from training to investigative activity must continue, albeit largely in a virtual way. With some creative thinking, meaning outside of the usual comfort zone, and the right technology, just about any compliance function that was essential before March 1 can be done despite our current reality. Meetings, training and interviews can all be done virtually. One essential part of moving to a more virtually or tech-based method of operation is mastering the technology. If your investigators are going to use a virtual platform to conduct witness interviews instead of doing it the old-fashioned way, ensure that they are trained and practiced in the finer points of using the technology. Not knowing how to mute the microphone or share documents during an interview will not reflect the authority or seriousness that should accompany all compliance functions. And, with respect to attorneys who are investigators, Model Rule of Professional Conduct 1.1(8) requires them to maintain competence in the technology they are using. Of course, with increased use of technology comes heightened cybersecurity risk, and remote activities must be appropriately safeguarded against such risk. Moreover, telework itself presents certain compliance issues, and now is the time for the compliance and HR departments to work together to ensure the organization’s remote work and data security policies are both up-to-date and being enforced.
4. Be Careful Not to Create Compliance Blind Spots
With companies of all sizes facing what may seem to be, or, in some cases, are existential crises caused by this pandemic, it can be easy for regular compliance activities to be ignored or postponed. This is not the time—no time is—to let compliance efforts lapse. Company leaders must be disciplined in the way they respond to this crisis, and ensure that they are tailoring their day-to-day responsibilities to the current environment in which business is being conducted. For example, compliance with lobbying disclosure laws is particularly important given the nature of this crisis and the nearly unprecedented levels of government involvement. With the tempo of lobbying activity in Washington and elsewhere increasing significantly during the past 30 days, more than the usual government relations people within companies, meaning CEOs and board members, have been and likely will continue to be in direct contact with policymakers and staff in ways that are not typical. Such contacts are strictly regulated and must be reported in different ways, depending on the specific governmental body at issue. Keeping track of which individuals are involved in these activities to ensure accurate reporting will help the company to avoid running afoul of the various lobbying laws.
5. Redouble Efforts to Obtain Organizational Buy-In for Compliance
In the best of times, obtaining enterprise-wide buy-in for compliance can be a challenge. This crisis presents an opportunity for a reemphasis of the right tone at the top. While this term is sometimes criticized as overused or misused as an empty catchphrase, the fact is that DOJ itself uses this phrase in its guidance to prosecutors. Whether called “tone at the top,” “ethical leadership” or something else, the point remains that effective compliance requires the very top leaders of any organization to effectively communicate the following: (1) compliance is an organizational priority; (2) everyone within the organization has a role to play in ensuring organizational compliance; and (3) effective compliance efforts will be noticed and rewarded. The current environment presents an opportunity to evaluate the organization’s leadership culture on compliance with the goal of identifying weaknesses or opportunities for improvement. Examples of useful ways to measure these concepts include social media monitoring, employee surveys, group discussions, and exit interviews with departing employees. Engaging in such self-critical analysis and attempting to improve on any negative findings can be important to not only enhancing compliance, but also in convincing DOJ that the company applies its compliance plan earnestly and in good faith should an investigation occur.
As chaotic as things are right now for nearly every organization, now is not the time to back-burner compliance. Indeed, compliance professionals should view this crisis as an opportunity to invest in compliance now in order to avoid or mitigate bigger (more costly) problems in the future. Now is the time to gain a better understanding of your company’s potential vulnerabilities, especially in light of the current crisis, and focus your compliance attention on these specific areas. Finally, the compliance department should not assume that the legal department is too busy dealing with all the legal issues presented by this crisis to be bothered with compliance issues. If ever there was a time to work extra hard on breaking down silos, it is now. Compliance efforts are most effective when working collaboratively with the legal and business functions across the entire enterprise.
Information is changing daily and some of the content included in this alert may have changed or been updated since publication.
Click here to read more Brownstein alerts on the legal issues the coronavirus threat raises for businesses.
This document is intended to provide you with general information regarding regulatory compliance during the COVID-19 outbreak. The contents of this document are not intended to provide specific legal advice. If you have any questions about the contents of this document or if you need legal advice as to an issue, please contact the attorneys listed or your regular Brownstein Hyatt Farber Schreck, LLP attorney. This communication may be considered advertising in some jurisdictions.