Many of the recent posts on the FCPA Blog have dealt with various aspects of Covid-19: our very personal health concerns, enhanced bribery risks, enforcement, and the possible impact on the operation of compliance systems and compliance organizations in times of travel bans and budget constraints in many industries.
Naturally, this tends to become a gloomy outlook. And, it seems indeed possible that the “stand alone” anti-bribery compliance department in a corporation will be challenged as economic pressure on “corporate” resources increases during the pandemic and will continue during the recovery phase. However, this is also an opportunity if companies and compliance leaders leverage the huge potential of combining ethics, enterprise risk management and compliance.
Let us start with the interdependency between enterprise risk management and compliance. Still today, the compliance and the enterprise risk management functions in many corporations work in stand-alone silos. This is an unhealthy situation in any case but becomes glaringly obvious in a crisis like Covid-19, where there is an urgent need for a cross-functional crisis and risk management. So, what role should the compliance officer play? I believe a decisive one.
In the last two decades, experienced compliance officers have developed a skill: designing and implementing processes and projects in a risk-based way across an entire corporation. Moreover, they have often done so in the middle of a severe reputational crisis — for example, FCPA investigations. Compliance leaders know the importance of risk management, are crisis proven, and are often good communicators, as communication skills are key to set-up and run a successful compliance system. Now, you may argue that risk management in anti-bribery or antitrust compliance is different from the full portfolio of enterprise risk management. True, if you look at it from a subject matter expert point of view. But if we talk about competency and experience on a management level, it is a different picture.
Over the years, compliance officers have designed and implemented the now recognized three pillars of an effective compliance system: prevent, detect and respond, including monitoring and remediation. This system is equally valid for all relevant risk functions in a corporation, including health, safety and environment, business continuity and emergency management, data privacy, quality, IT security, finance and others. Instead of being “just another workstream,” courageous, risk-aware and crisis-resilient compliance officers can rightfully claim consideration for the lead or at least the coordination of an integrated risk management system in corporations. If this is achieved in full alignment with the General Counsel as a peer and partner, the assurance level of the company will increase significantly.
There is another important reason why compliance should be tasked with taking on broader responsibility for risk and crisis management in a company. Having a clear and solid risk and compliance framework is non-negotiable for corporations, and Covid-19 will put this under an even greater stress test. But at the end, it is the ethical dimension of risk taking which makes the difference and shapes the reputation of a corporation.
Companies are part of society – for the good and for the bad. They generate wealth and growth for the world but are also capable of creating significant harm. You can observe this clearly today. Many companies are supporting or even driving, the fight against Covid-19. This will rightfully remind people and governments that companies are an essential part of society as “good corporate citizens.” Nevertheless, we see also bad actors exploiting recklessly the fear and need, and sometimes, companies do get it wrong. However, often it is not about an easy right or wrong but about difficult ethical dilemmas, especially in the pharmaceutical industry, when the need for medicines and treatment is higher than the possibility to supply, or where tough choices are needed to determine where to research and develop future medicines.
To work on these ethical dilemmas is truly part of risk management, of course closely together with other major players in the company as the Legal or Human Resources functions. A meaningful code of ethics, which reaches the minds and hearts of employees cannot be developed by a corporate department in a silo. It must be based on behavioral science, it must address the company’s risks, and it must be developed with as many employee voices as possible, using innovative crowdsourcing methods. A code of ethics for employees by employees, driving collective ownership and accountability for doing what’s right.
Now, the question is: who in a corporation is best suited to moderate this ethical discussion taking into account the risk exposure and the compliance challenges of the corporation? Covid-19 is – hopefully – a unique challenge for our generation. But it is also an opportunity to bring ethics, risk and compliance together.