Compliance Continuity Management (CCM)
How do you ensure legal and regulatory compliance during times of disruption? We asked our panel of experts for their advice on how to react to the Coronavirus pandemic.
Disruptive events like this can have an even worse impact on your regulatory compliance. As your staff are distracted by other priorities, there's a risk that compliance drops off the priority list, at least temporarily.
But that's what business continuity planners have been preparing for. As part of contingency planning and crisis management, they've been preparing for challenging and potentially disruptive situations such as these, and working on how quickly to restore 'business as usual'.
How to ensure compliance continuity
Our panel of experts offer their opinions on how to ensure compliance is delivered across everything from anti-bribery, money laundering and data protection to equality.
- Compliance culture is key
- Build trust to remove the 'them' & 'us' barrier
- Communication is the fuel of trust
- Remote-working is a double-edged solution
- No excuses for Financial Services firms, you were warned
- Compliance vs operational resilience
- Don't forget about the regulators!
- Practice makes perfect compliance
- Our panel of experts
Compliance culture is key
Corporate culture - variously defined as 'How people behave in groups' or 'What people do when there is nobody watching' - matters. And, it is never more important and - dare we say - it's never tested quite so much than at times of disruption or crisis. That's because your team may be working at irregular times, in different locations (for example, if they are self-isolating, in quarantine or marooned abroad due to protests, the collapse of a travel company or for a multitude of other reasons). That means they are also away from their usual support mechanisms, away from trusted colleagues, and crucially often beyond the reach and out of sight of a reassuring and watchful supervisor or manager.
In short, this will be a test, like no other, of:
- How ingrained company values really are
- How well they know our policies (no peeking, you're flying solo now)
- How they respond to challenging situations/ethical dilemmas (when no-one's watching)
- Their spirit, resilience and true personality and 'fit' with your company
For example, are they reliable, trustworthy, and dependable? Without constant supervision or your reassuring presence, might they abscond, stray into risky activity, or worse, start to act and behave differently?
Done right, culture should instil your people with the right values and mindset. If your training is right, those values should be reinforced often and at regular intervals so everyone knows what "the right thing to do" is, without having to check the policy. In a crisis, you can't sit at their shoulder or catch them as they fall before things go wrong. And, that's why your culture also needs to be empowering. Not something they get straight from a Code of Conduct or out of the latest playbook. Culture is our shared values, our attitude, spirit and mindset. But it should also be meaningful and underpin everything they do. It should be part of your team's DNA, if you will.
So, wherever they are working and whatever the disruption faced, your culture should be exactly the same. It's who we are.
Build trust to remove the 'them' & 'us' barrier
Disruptive events, like Coronavirus, are by their very nature unsettling and create uncertainty. We see it in the markets, in what customers and our own team say. No-one knows exactly what is going to happen and that impacts confidence. Sometimes, disruptive events and crises - e.g. cyberattack - may also shine an uncomfortable light on our company. Stakeholders expect reassurance at these times too, not least confirmation that you've 'got this'.
At times of disruption and crisis, people need to know who they can trust. Compliance issues put trust firmly in the spotlight. Whether it's trust in your motivations. Trust in the company to keep delivering. Trust in your team to do what they say and meet their commitments. Regulators too seek assurances and trust that as a company and compliance professional you've got everything covered.
All too often, compliance is seen as some distant unit that's detached from the rest of the business (there's a 'Them' and 'Us' syndrome). It doesn't have to be this way. In reality, there's no 'Them' and 'Us'. We are one. We are all 'Compliance'.
Compliance is not a kind of coating that we only apply when the work's done. Just like culture, it's integrated into everything we do. It's not a binary choice - profit or principles - it's both.
Why does this matter? Because, when faced with unprecedented disruption or a crisis event, we need a more holistic and joined-up approach. We cannot bounce back and adapt as efficiently as separate units. Only by working together, as one unified force. This joined-up approach ensures our contingencies plans take account of what's right for the future of the business, for our employees, and also our customers and the wider community.
Communication is the fuel of trust
Effective communication is essential to maintain trust and confidence - with your internal team, as well as the board, specialists and external stakeholders. Think through how you are going to coordinate the message - whether you're keeping staff informed of good practice, or bringing together specialists with senior managers to ensure the most effective response.
For most firms, you'll be able to tap into existing communications tools (email, intranet, etc) but additional platforms (e.g. collaboration apps and tools), dedicated groups and channels (e.g. between the board and any specialists) may well be activated. Think too about how you're going to pump out any direct emergency communications (e.g. SMS alert lines) and urge people now to update their contact details. Your Business Continuity Plan should have everything you need, primed and ready to go.
Remote-working is a double-edged solution
Rightly or wrongly the Coronavirus has prompted a lot of organisations to implement measures to reduce the risk of spreading the virus. Rather than going into a debate about whether many of these measures are either prudent or excessive, the fact remains that they have a real impact on how businesses are run.
A key measure is to encourage people to work from home as much as possible and most move human interaction from face to face meetings to Google Classroom and Google Hangouts type environments.
‘Internet savvy’ companies pride themselves on having business continuity plans that allow staff to carry on working as normal because of their sophisticated tech enablement strategies.
Often business continuity strategies are designed to deal with short term disruption and the focus is ensuring that delivery deadlines are continued to be met and that the front line can continue with selling. But what about compliance? A meeting is a meeting whether in a room or online, surely?
So many firms are encouraging the working from home principle in an attempt to protect themselves and their employees from illness, but is this out of genuine concern for the health and well-being of their staff, or just an attempt to ensure that the firm doesn’t operationally collapse under the weight of staff sickness and absence.
Self-isolation is another term very recently introduced to our everyday parlance, and whilst in any situation and at any time, staying away from work (or any other public place) when you are ill and possibly contagious is the sensible and considerate thing to do, this recent outbreak of Coronavirus has almost become a free licence for those seeking to abuse the system to stay away from work for up to 14 days under the auspices of “self-isolation”.
After all, how is an employer expected to know for sure or not whether a friend or relative of an employee has recently travelled back from a country currently declared as high-risk, or whether a child at school has just returned from a family holiday to Italy for example. The short answer is, it can’t – therefore, one of the immediate risks facing firms now, is its own staff abusing the outbreak of illness and using it to their own advantage.
Why would staff do that though? They would still need to work from home, so its not like they are getting two weeks extra annual leave is it? No, it’s not, but creating a position of “self-isolation” in order to personally gain, could be considered a form of employee fraud.
However, for a fraud to occur, one party must gain and the other lose, so if this is the case, the employer would lose as their employee is not at work through misrepresentation of facts, but what is the gain for the employee – not having to get up so early or return home so late, not having to pay car park or travel costs and maybe not having to pay childminding fees.
This could all add up to become a form of rationalisation in the employees mind for declaring the need for “self-isolation” and we know that rationalisation is one part of three required to complete the fraud triangle, with pressure and opportunity being the other two – both of which could be considered as present in this current situation.
The pressure may be arising from a childminder or nursery not providing their usual level of service as they are themselves entering into a period of self-isolation, or just reducing their working capabilities in order to help prevent further contamination within the local community.
No excuses for Financial Services firms, you were warned
The current situation with COVID-19 is testing businesses to the limits, with decisions about how to structure business locations and interactions having to be made and revised on a daily basis.
Crisis management is not a new issue for financial services firms, but it is quite amazing how the outbreak of COVID-19 has coincided with the closest focus on operational resilience by regulators for a long time.
The FCA and PRA kicked off this process with a Discussion Paper on the subject, and then followed it up with joint consultations in December 2019. These made it clear that firms needed to manage their resilience in accordance with carefully selected impact tolerances, having identified their most important business services (note – from the point of view of consumer harm and market integrity; two subjects close to regulators’ hearts).
Compliance vs operational resilience
Compliance resilience is something slightly different to operational resilience. Of course, firms should take major incidents like COVID-19 extremely seriously, and businesses across the country will be engaged in full crisis management mode right now, taking care of issues such as limiting personal interactions, instructing people to work from home etc.
As part of this process, crisis management teams should be meeting regularly (if not daily) to discuss how effectively their plans are working, whether any changes need to be made, and whether any emergency action is needed related to the spread of the virus.
All of this has two primary aims – to protect the health and well-being of the staff and to ensure the business continues to service its clients with minimal disruption. Compliance teams should be an integral part of this process, but their agenda needs to be slightly different.
Don't forget about the regulators!
Whilst all of this management activity is going on, the regulators are looking closely at what firms are doing. The FCA, for example, issued a statement recently in which it said that it is looking at the contingency plans of a wide range of firms, which suggests not just major businesses. With such close focus on activities by the regulators, it is the job of compliance functions to ensure that the regulatory expectations continue to be met.
Of course, there is a convergence in terms of expectations and operational requirements, as both businesses and regulators want the same thing in many areas. They both want customers to continue to be served, they both want staff to be kept safe and well, and they both want to ensure operational risks are effectively managed.
Nevertheless, there are specific regulatory requirements that compliance teams need to be aware of, ensuring they do not slip down the agenda.
Practice makes perfect compliance
Unless companies have a well-developed home working culture and framework, moving large employee populations to work from home can bring significant compliance risks.
An important aspect of a compliance culture is how groups socially interact and what behaviour the group promotes and discourages. Companies well versed in homeworking will have their compliance strategy developed with that lack of social interaction in mind, others may not.
The spread of COVID-19 has prompted radical changes to curb spreading and to preserve revenue, but there is a risk that this may well take a bit longer than hoped, and isolated employees may be more likely to try circumventing compliance processes than when they are in a group situation.
This should be considered when developing a business continuity plan especially when the plan needs to ensure business continuity for a longer period of time.
We may have theorised, strategized and reached anticipated conclusions as to what we will or won't do in in response to any given risk. It is only now that when a real risk is presented to us, do we have to consider whether all of our historic work has been worthwhile, whether it really presents adequate cover and answers to the questions that we now raise.
In honesty, most people would say that if anything, they anticipated the implementation of their business disruption plans to come following a flood, electrical failure in the office or at worst, a terrorist attack. In such situations, the planned working from home, working from a second office site and phased return to work would work reasonably well.
However, whilst quite likely spoken about and possibly even documented, has anyone ever given serious consideration to business resilience in the wake of an epidemic or pandemic? Have we really considered the impact of and tested the implications of long term, enforced business resilience that includes at its heart a prolonged period of staff working from home? I suspect that the answer is no.
Maybe now we should start thinking about all risks carrying equal weight – after all, it seems as likely now that we could be impacted by a virus as it does a terrorist attack.
Our panel of experts
Jan has been advising firms to manage financial crime risk and providing compliance and training solutions over a career spanning two decades at Ernst & Young, MHA and Thomson Reuters. He now helps firms to select appropriate technologies to assist in managing the increasingly complex demands put on organisations by fast-paced regulatory change in respect of money laundering and terrorism financing.
Lynne is an instructional designer with over 20 years' storyboarding experience. Her current areas of interest are mobile learning and exploring how cognitive theories of learning can create better learner experiences.
Martyn is a writer and thought leader in financial markets, wealth management, insurance, regulation, risk management, and cybercrime. He has worked in the trenches to deliver compliance improvements, and now focuses on contributing to compliance best practice on several forums.
Martin has over two decades of experience at the front-line in compliance, financial crime prevention and data protection, along with a further decade of experience consulting, in-person training and interacting with professionals at hundreds of firms. He is a keen promoter of joined-up thinking in compliance training and management and of creating a culture that gets employees at all levels engaging with the compliance department.
Want to know more about Risk Management?
As well as 50+ free compliance training aids, we regularly publish informative Risk Management blogs. And, if you're looking for a compliance training solution, why not visit our Risk Management course library.
If you've any further questions or concerns about Risk Management, just leave us a comment below this blog. We are happy to help!