Crisis Week: Part 3 – Compliance Resiliency

Thomas Fox

Compliance Evangelist

Perhaps the most prescient comment I heard during the height of the pandemic came from Jed Gardner, Group Director of Transformation at Linedata, which was that we have moved from disaster recovery to business continuity to business as usual. It appears that not only was the comment correct but now we are moving in the business world from crisis to crisis to crisis. This month’s Harvard Business Review magazine dedicated its Big Idea Series to the topic of crisis. Over this short week I am exploring what this new reality means for the compliance professional. Monday we looked at compliance as a trip wire to alert businesses a crisis is on the horizon, through the article A New Crisis Playbook for an Uncertain World. Tuesday, through the article Building a Culture That Can Withstand a Crisis, we considered the role of culture in dealing with a crisis.

Today we consider how to make sure your compliance program is resilient. Our starting point for today is the article 6 Types of Resilience Companies Need Today by Paul Polman and Andrew Winston. As every compliance professional knows, resilience must be built into every compliance program. The reason is simple, in today’s volatile and uncertain world, corporate compliance programs will face many crises. It could be a Foreign Corrupt Practices Act (FCPA) violation, but it could also range from a natural disaster which destroys property and disrupts operations, to the discovery of human rights abuses in a supply chain which breaks consumer trust earned over years. It can also range from an activist shareholder who presents a hostile takeover bid which shakes a business to the core to new competitors and technologies upending the industry. As we all know, a global pandemic or a new social justice movement can emerge to change everything.

In their article, the authors looked at decisions made by the multinational Unilever PLC to create both “traditional forms of resilience (financial flexibility, portfolio diversity, and organizational agility) and less-obvious forms (driven by purpose, trust, and stakeholders) that changed the company more deeply, we aim to show how leaders can best prepare for the world ahead.” I have adapted their prescriptions for the Chief Compliance Officer (CCO) and compliance professional.

The traditional building blocks of corporate resiliency include financial flexibility, portfolio diversity and organizational agility which the authors believe are “essential preparation for sudden shocks and long-term crises.” Compliance must contribute to getting and keeping businesses moving, as “only companies with already healthy balance sheets can weather such storms.” Obviously in your compliance portfolio there must be a variety of agents on the sales side which are fully vetted and approved. The same is now true on for vendors in the Supply Chain. That is one of the key features in the five steps in the lifecycle of third-party risk management. If one step cannot be fully utilized, it does not mean you cannot use that third-party, it just puts more pressure on the other steps. In other words, greater risk management resiliency. Compliance function agility lends itself to structural changes to build organizational-wide compliance resilience, with the compliance function getting faster feedback from regions about what is working and where more compliance resources need to be delivered. Through this approach you can identify possible problems before they become crises.

The authors real insight comes from what they see as the “larger opportunity is in making a company more broadly crisis-resistant for the long term, because doing so serves multiple stakeholders — not just shareholders. We argue that the strongest organizations today and in the future will thrive by giving more than they take from the world. We call this kind of company “net positive” because it seeks to improve the well-being of everyone it touches through its operations, value chain, products, services, and influence. Organizations that have a clear purpose, build strong relationships that reinforce each other, and amass a reservoir of trust will have deeper sources of strength when they need them most.” That sounds like exactly the function of a CCO and corporate compliance program.


A company that knows its reason for being, and consistently backs it up, is both tougher and more flexible during a crisis. If this is not a mere add-on but strategy your company will be exponentially stronger. Here compliance plays a, if not the, key role in communicating a corporate strategy of not simply doing business ethically and in compliance but also following the outline laid out in the Business Roundtable’s Statement on the Purpose of a Corporation by listening to and incorporating information from all stakeholders in an organization. Of course, building out internal controls fully as laid out in the COSO 2013 Framework for Internal Controls can build out the backbone of this effort.


Trust is an absolute key for any compliance program. You must build trust through institutional justice and institutional fairness. But now take that same concept and apply it out to all your stakeholders. It may require a level of transparency your organization has not previously engaged in but through trust you will be able to foster an entire culture of not simply speak up but also listen up. As the authors note, “Transparency is a great tool to ensure consistency and engender trust. Rather than rebelling against tough questions and pressure, business leaders should embrace them and use them to build a stronger organization.”

Engage All Stakeholders

I have mentioned the Statement on the Purpose of a Corporation several times. Most compliance functions typically do not deal directly with all stakeholders. Now imagine if they led such an effort, from a corporate culture perspective. The authors believe, “Net-positive companies build better connections with stakeholders besides employees as well.” If compliance can help to engage a wide variety of stakeholders, those same stakeholders that are engaged through the compliance function, such as through due diligence and contracting; you will likely have a wider variety of stakeholder, “bound by purpose and all trusting and working in partnership with the company, provides a diverse bank of support.” All of this can act as a “large, spread-out root system — not just one anchor but many that can take a lot of pressure.”

When the biggest crises hit, compliance or otherwise, all six forms of resilience help you move quickly and effectively. The authors conclude, “No company can prepare for every outcome, but these six forms of resilience, put together, can provide a serious buffer. They also allow organizations to work in larger coalitions on the biggest issues, such as climate change and income inequality. Net-positive businesses don’t just endure or bounce back from crises; they also anticipate and prevent them.” All of these strategies are not simply in the compliance wheelhouse, but they are part of the ever-evolving best compliance regimes. They will make you a better company in times of great change, disruption and upheaval. facebook

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.