Part 1 - Getting Started

The coming weeks and months will be incredibly challenging for all as COVID-19 does not respect national boundaries, races, religions or another other construct people have created to differentiate themselves from each other. The same will be true for businesses of all stripes across the globe. I want to lay out some of the basics every Chief Compliance Officer (CCO) compliance professional and compliance practitioner will need to begin with in dealing with this crisis.

Almost everyone, who is not deemed an essential employee in an essential industry, is working from home. That includes compliance professionals. The first step is to work from home as successfully as possible. Sean Freidlin put out one of the first pieces on this as he has successfully done so for the past four years. He also led off the premier episode of the latest offering from the Compliance Podcast Network, Compliance and Coronavirus, with his tips. Freidlin’s four tips included get outside the house/apartment/flat for some mind-clearing respite; work professionally, as if you were in the office; develop a flexible schedule, obviously important for a compliance professional at an international organization; and find your comfort zone in both dress, work location and moving forward during the day.

Beyond getting set up to work efficiently, you will need to keep in touch with your compliance team. Gini Dietrich, writing in Spin Sucks, believes that it is important to not only keep in touch with your team but do so on a daily basis. Her team has a daily scrum at 8AM where they can communicate to each other what they are working on and if someone has time that day or needs help with a new project, they make a reallocation. Jeffrey Hazylett, Founder of the C-Suite Network, said in a recent webinar that he uses this approach in a different way by having a check in at the end of the day at 5:30 where his team can let everyone know their status, how they are doing and what to expect the next day. The clear import here is to facilitate communications on a wide basis.

Next, what attitude should you bring to this crisis? As a CCO or compliance professional, one of the key traits you should have is empathy. This should come to the forefront even more now. Dick Cassin, writing in the FCPA Blog, said that one thing he is observing right now is fear and fear produces greed. He used the example of those hoarding toilet paper but it also applies to the compliance professional as fear produces irrationality. That fear can be about job security or even the continued existence of your company. This can lead people to doing irrational things that might never consider, such as paying a bribe.

In a prior post, Cassin said, “corporations live in fear. At least the smart ones do. They know that every day, no matter how hard they try, they’re facing economic extinction. Why? Because that’s capitalism. Someone out there is always trying to eat your lunch.” Cassin ended by noting that often times when a corporation is sanction for bribery and corruption, “we automatically point to greed as the reason. Fear isn’t mentioned. Are we overlooking something important? So, let’s close this with a final question (or two): Has our fixation on greed distracted us from seeing how fear motivates so much corporate crime? And does that mean compliance programs are still falling short because we’re trying to cure the wrong disease?”

What this mean for the CCO or compliance professional is that you not only have to have more empathy now but you may be required to look closer. Is greed really driving decisions or is it fear now? This could lead to a new manner of thinking and at the end of the day provide a more holistic approach not simply for the detection of bribery and corrupt but its prevention through more focused and more efficient training and controls.

Finally, for every CCO and compliance professional, this is the time to exhibit real leadership in your organization. If there was ever a time to demonstrate that effective compliance leads to more efficient business process and greater income now is the time to do so. A nearly 20 year-old article in the Harvard Business Review (HBR), entitled Crucibles of Leadership, posited there were four key leadership skills which come into play in times of crisis. First, “the ability to engage others in shared meaning.” The next is “a distinctive and compelling voice.” The third is a strong set of ethical values. Lastly, is “adaptive capacity” which is both the ability to grasp the situation and a strength in underlying purpose which will see you through the crisis. But more than seeing you through this coronavirus crisis, as a compliance professional, you and your organization will be able to both “learn from it, and to emerge stronger, more engaged, and more committed than ever. These attributes allow leaders to grow from their crucibles, instead of being destroyed by them—to find opportunity where others might find only despair. This is the stuff of true leadership.”

Part 2 – Specific Tactics

Next I lay out some specific tactical ideas and items that a CCO can and should employ at this time of the coronavirus health crisis.

A. Compliance Messaging

We are in an unprecedented time of employee isolation and indeed alienation for many employees. More than one person has told me they wonder if they will have a job to go back to. Many businesses in the services industry have been decimated as well as the entire energy sector. Just as people will move to more extreme measures in times of desperation, compliance must become even more vigilant about keeping cultural ethics and your company’s values up and running. This means that communications to and with employees is even more important now. Kevin Abikoff and Mike Huneke, writing in the FCPA Blog, called this “staying visible.”

This is more than the communication’s with your compliance team that I discussed yesterday. It means a frank, honest and transparent communication about what is going on with the organization. While sharing honestly is antithetical to the philosophies of many organizations, now is not the time to hide information about the health of your business. Company values are at the foundation of all of this and companies need to very much focus on communicating their values. Eric Feldman, Senior Vice President (SVP) of Affiliated Monitors, Inc. said, “Trust and integrity are paramount to business continuity preparedness, including unprecedented business impacts from employee wellbeing.” Compliance should be at the forefront of these communications.

B. The Small Stuff

Now would be a very good time to put into practice the maxim “Don’t sweat the small (compliance) stuff.” You do not need not to waste your scarce compliance resources on areas or matters that are low compliance risks. If your company sells internationally largely through third parties, they are your highest risk and should be managed according. Conversely, you do not need to know as much about employee sales team bonuses for domestic sales. Where are your highest sales? Are they in a region with a high risk or reputation for corruption? Then focus your attention there.

C. Know Your Risks

To not sweat the small stuff, you need to understand what your highest compliance risks are now, in the midst of the coronavirus health crisis. This means that now would be a very good time for you to assess your compliance program and your business model to see what your highest risks are now. If you believe there are several, you can prioritize them. This exercise will give you the basis to deliver your ever-scarcer compliance resources to your highest risk areas.

While it is true that compliance never sleeps and I do not believe the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will be sympathetic to some unsubstantiated claim along the lines of ‘I did my best with what I had’; they also made clear in the 2012 FCPA Guidance that “An effective compliance program promotes “an organizational culture that encourages ethical conduct and a commitment to compliance with the law”. Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” The key is that you have assessed your organization’s risks at this time and responded to manage those risks. If through your assessment one of those risks is isolation and alienation; a compliance response to management of that risk would certainly be appropriate.

Another approach was also suggested by Feldman, who said that when a company is in the midst of crisis and economic stress, often times deficiencies will appear. This means you might want to consider a culture assessment to help understand how employees feel the company (and themselves) should act in times of the current times of high economic stress. With the technology available today, you can do this with conference calling. This has the added benefit of fostering the communications I discussed above to help fight isolation and alienation, coupled with assessment needed so that you only manage your high risks and do not sweat the small stuff.

D. Play Some Catch Up

Abikoff and Huneke suggested that now is the time you can play some catch up. I would first suggest that you make sure your compliance files are in order. Do you have full and complete files with your third-party sales agents? From there I would move outward in your risk profile to review the files of your risks in priority order. Abikoff and Huneke also said to use the time not simply to get caught up on reading but more importantly to use the time you have to “think critically.” Where will your company go when travel and trade embargos are lifted? Who will be your partners with going forward? What structures will you have in place? Now you should have time to think through these questions as well as many others.

Stephen Martin often talks about the need for a one-three-five-year compliance plan. While many will say, what an order as we do not know what tomorrow may bring; the business reality is that contingency and continuity planning have long gone on. As a compliance professional, you may not have been a part of those discussions but now you may have the time to engage, read and research internally to do so.

When she authored the Financial Time’s column On work, Lucy Kellaway wrote about the concept of doing less with less in an article entitled “No need to ‘lean in’ when laziness can be just as effective”. Her thesis was that by working less, or what she called ‘becoming lazy’, it is only by stepping back and focusing on what is truly important, that you can become focused and even more effective. This comes from stepping back and taking the time to make that decision. Now we have all be given that opportunity. Use this time to make your compliance program even stronger.

Part 3 – Tech Innovations

Have you considered some specific technological innovations to help manage your compliance program going forward. What are some to the areas that a technological solution will work for you most efficiently?

A. Third Party Management

Ranked as the highest Foreign Corrupt Practices Act (FCPA) risk is generally third-party management, at least on the sales side. This is a process that can be automated both through the onboarding process, due diligence, contracting and management of the relationship after the contract is signed. While nothing will ever take the place of a well-trained compliance practitioner reviewing and evaluating due diligence, if you can automate the document obtaining and retention process coupled with the back-end relationship management you can significantly cut your costs going forward. Moreover, this process will help you in the Document, Document, and Document function of any best practices compliance program.

B. Internal Controls

Here there is no better example than our friends from GlaxoSmithKline PLC (GSK) to demonstrate not only the failure of internal controls but also how a technological solution can assist your compliance going forward. The company got into hot water in China through two prime methods of paying bribes: the direct incentives and indirect incentives methods. They paid out enormous sums in sales expenses, including travel costs and fees for sales meetings, marketing, business development and other expenses. Most of the largest expenses were travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned the prior year. A simple automated internal control requiring a second set of eyes on such expense would go a long way to preventing or detecting fraud, in the form of bribery and corruption against the company.

Additionally, it would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a compliance officer, by putting a second set of eyes on any such requests to finalize (read prevent) and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow on from such definition or criteria set by the company. Further, by automating this process, you also have a fallback protection on the detect prong.

C. Ongoing Monitoring

Saving the best and most important for last, a final technological solution is around monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks.

Here I want to focus on two technological solutions of ongoing monitoring which can help you to manage your compliance risks more effectively. The first is relationship monitoring. In the GSK matter, internal company emails showed the company’s sales staff in China were instructed by local managers to use their personal email addresses to discuss marketing strategies related to Botox. Relationship software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The software then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.

The second type of monitoring is transaction monitoring. Generally speaking, transaction monitoring involves review of large amounts of data. The analysis can be compared against an established norm which is derived either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment, is made outside an established norm, a red flag can be created that can be tagged for further investigation. Vince Walden, partner at Alvarez and Marsal Holdings, LLC, calls this your company’s “payment stream, post contract.”

The pressure for the corporate compliance function will only increase during the time of the coronavirus health crisis and beyond. You will need to bring both new tactics and strategies to bear to more fully prevent, detect and remedy, compliance and ethics deficiencies. Moreover, in every crisis is an opportunity to learn. Even in a crisis not seen by any in our lifetimes, you can learn to do things smarter and more efficiently even if it is because you are forced to do so. If you can demonstrate greater efficiency and a longer cost effectiveness in using a technological solution in conjunction with your compliance program, that may be exactly the message that not only your senior management may want to hear but will respond to favorably and provide some funding. But you have to do your homework and be able to demonstrate value going forward.

Part 4 – Company Responses

As a CCO, you need to work to not simply embed these values during times of high stress and pressure like we have now but also to help protect the company’s reputation in this crisis. The reason for the latter is that a company’s reputation can literally be shattered beyond repair if they mistreat their workers or even worse, but them at jeopardy during this crisis. With the ongoing and about to get much worse economic crisis trailing just behind the health crisis, companies will need every tool in their arsenal to weather the economy when people can get back out and head to the office.

What should be your bottom line? In Markets Insider Mark Cuban, the billionaire entrepreneur, Shark Tank investor and owner of the Dallas Mavericks, provided clear message for Chief Executive Officers (CEOs) of the Business Roundtable amid the coronavirus crisis for the following, “prioritize employees and their families over shareholders right now.” He went on to say, “Shareholders come last. You guys have so much impact on the world that you need to take care of your employees and their families first.” He continued: “If you’re a great company, your shareholders will understand and will expand their P/E out of respect, because they’re all dealing with the same circumstances.””

Why is Cuban so passionate about this point? It is a simple equation. He said, “The reality is by doing the right thing with your employees, you do more to help stabilize the economy. And from there, we have a better chance of getting back to business as usual. If you just try to nickel and dime everything to try to optimize your earnings per share and keep shareholders happy, and at the same time your employees suffer and struggle, you’re going to get hit.”

The reason is simple, “Companies that don’t do the right thing will face consequences in the future, especially because younger consumers such as Millennials and Gen Z are watching crisis responses. But Cuban thinks amid the coronavirus outbreak, CEOs should go a step further and consider how their actions will be viewed by consumers in the long term.”

Alyson Van Hooser, expert on leadership for Millennials and Gen Z, echoed this sentiment in her blog post Quarantine Effects on Gen Z Workforce. Van Hooser wrote, “Gen Zs are seeing right now which companies are sustainable in hard times and which are not.” This not the first time Gen Z has seen an economic downturn but it is the first time of social isolation and even quarantine. Van Hooser’s direct question to companies is what are you doing in relation to Gen Zs seeing this for the first time? Are you treating your employees fairly or are you simply putting them on furlough, or worse putting them at risk by forcing them to return to work during this health crisis? Her conclusion, “Here’s the deal, whether intentionally or not, Gen Z is making little deposits of information that will affect how they search for an employer in the future. I can definitely see where they will be searching for a company that is more stable vs. risky, a company that is widely known for taking care of their employees, and possibly even entrepreneurial opportunities in an industry that is essential to daily human life.”

Or is your company going to be one which simply furloughs its workforce, continuing to slavishly devote its assets to shareholders and keep senior managers at full pay? Chris Tomlinson, writing in a Houston Chronicle piece aptly titled “Corporate CEOs should go without pay until employees' jobs are secure”, said, “Plunging revenues give CEOs a choice of either spending strategic reserves to keep employees on the payroll or scale back and lay them off. If a CEO is making 221 times the average employee at the company, that’s a clear opportunity to save jobs.” He went on to write about hometown employer Halliburton, which summarily “furloughing 3,500 workers without pay for 60 days. But no word from the company spokeswoman on whether Chairman and CEO Jeffrey Miller will cut his $1.4 million salary. He collected $16.9 million in compensation in 2018. If Miller were to waive his compensation, he could save 290 jobs. Frankly, he and other CEOs owe us.”

Contrast that with the largest oilfield service provider, Schlumberger which had layoffs and furloughs but the senior executives and management all took pay cuts. Which company looks like it cares more about its human capital? Some companies are taking it a step further. As reported by Deadline.com, Disney Corp. “incoming CEO Bob Chapek this morning announced a salary reduction of 30% for EVPs and above, 25% for SVPs and 20% for VPs “until we foresee a substantive recovery in our business.”” Chapek himself is taking a 50% pay cut, while executive chairman Bob Iger will forego 100% of his salary.

Cuban had it right. It is employees who will get you through this convergence of health crisis and economic downturn. But if you mistreat them by summarily furloughing them or laying them off and do nothing as leaders to impact it one iota, where do you think they will go when the economy bounces back? More so, as Van Hooser said, Gen Z is watching. They are watching to see not only how companies treat their employees but also are those companies socially responsible. Are they “work here or else—even though your state is under an isolation order?” Or are they taking every step they can to protect worker safety?

Employees, the marketplace and all other stakeholders are watching and how you react as a CCO now may well go a long way towards your company’s future down the road.

Part 5 – Final Thoughts

This white paper has focused on some of the things a CCO or compliance practitioner can do right now, in the midst of this crisis, and what we might need to consider as we prepare to come out of the crisis, hopefully in the weeks and months ahead. I have also started a podcast Compliance and Coronavirus, which is designed to bring some much-needed clarity and sanity to the compliance practitioner. I conclude by providing some final thoughts for the compliance professional on the challenges they face going forward.

A. Time Horizons

In an upcoming podcast on Compliance and Coronavirus, I visit with Tricia Cornell, Principal and Head of Creative Services at ReThink Compliance. One of the things which she said was that you have to reconsider and indeed rethink your time horizons. While right now, you may be in pure survival mode and cannot think past one week, you also need to consider how you will operationalize compliance in the next 30 and 60 days. This concept was echoed by Jeffrey Hazylett, founder of C-Suite Networks, who said you should focus on the next 60 days and getting through that time frame.

What are some of the things you can do? Keep your customers in focus. For compliance professionals this means your employees. What can you do to not simply assist the business operations but help make your business processes even more efficient during this time so that the company will come out of it stronger and even more profitable? Keep your compliance team focused. For the next two or three weeks check in with your team daily to find out what they are working on and what they have accomplished. Rethink your compliance training library for the risks you are facing right now.

B. Internal Controls

Who is watching your internal controls? Jonathan Marks, writing in his blog Board and Fraud in a piece entitled Fraud, Compliance & Integrity Risk During a Crisis and a Downturn, cautioned “A crisis situation can and often does increase the pressure on senior management and of course salespeople to meet their sales targets! Deviant behavior, like overriding or circumventing controls “just one time”, is easily justified. So it should go without saying that companies and their boards need to recalibrate and in most cases increase their oversight today and subsequent to the crisis until things stabilize.”

This time of health crisis and economic downturn could certainly add to the pressure prong of the Fraud Triangle. This is a foreseeable risk that you should incorporate into your risk profile. But compliance and financial controls need human oversight. Do not assume that SAP, Oracle or any other ERP system your company may employ will give you auto notices that someone has evaded, over-ridden or simply circumvented your controls. Be ever vigilant.

Vince Walden, Managing Director at Alverez and Marsal Holdings, LLC, says to look more closely at your “payment stream, post contract.” Now could be a very good time to monitor your outgoing payments after a contract is signed. I often say the most critical step in the five-step lifecycle of third-party relationships is managing the relationship after the contract is signed. Now expand that concept into corporate financial outgoings in a large international contract and all expenses that are charged to it. With several Foreign Corrupt Practices Act (FCPA) enforcement actions involving customers in on the bribery scheme, now might be a very propitious time to review those streams.

C. Corruption Enforcement Never Sleeps

In their FCPA Blog post, Kevin Abikoff and Mike Huneke said, “There is no COVID-19 Defense to Corruption”. That is such a powerful statement they titled their piece with it. Just as fraud never sleeps, enforcement will not either and two, three or four years down the road when you find out your internal controls were over-ridden or circumvented and you will remind the regulators that this was during the height of the coronavirus health crisis, it will not matter one iota. They stated, “As with many things relating to compliance, the real audience is always a hypothetical, and likely hostile, regulator who—many years in the future—is asking your company about a prior relationship while under an assumption that the relationship allowed illegal conduct to occur. In these circumstances, the current pandemic that is so affecting our lives and our way of working will be either entirely forgotten, or at best, severely under-appreciated.”

I hope you have found this series helpful. For the next couple of months, I hope you will check out my latest podcast series Compliance and Coronavirus, available on a wide variety of sites including The Compliance Podcast Network and iTunes. It will post three days per week, each Tuesday, Wednesday and Thursday at 9 AM CST. It will bring you some of the best thought leadership and practical tips for navigating what Mike Cherkasky, Executive Chairman and Head of Exiger Government Services, told me was perhaps the greatest health and economic crisis since World War II.