Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Compliance leaders are being forced to ‘do more with less.’ Here’s what it means

New compliance risks are emerging as a result of Covid-19. With new work patterns inside companies and outside, risk patterns have shifted. Yet many companies are furloughing or reducing staff dedicated to anti-bribery and anti-corruption functions, often in direct contrast to changing and rising compliance needs. Here’s a look at some new risks and ways for compliance leaders to respond by “doing more with less.”

Government agencies across the globe have been “temporarily” closed due to Covid-19. Companies are experiencing significant delays in obtaining required permits, licenses, visas, and the like. They may feel dramatically increased pressure to pay facilitation payments to expedite these processes. Although allowed by the FCPA in limited circumstances, most national anti-bribery legislation prohibits facilitation payments.

Additionally, with travel restrictions in place, companies have reduced or put on hold their in-country audits of distributors and other third parties. Before Covid-19, compliance teams were already challenged with a lack of resources to monitor and safeguard high standards of behavior, so these changes – particularly the deviation from best practices – will offer even more opportunity for bribery and corruption.

These are just two examples of new risks emerging when companies are trimming compliance resources, creating a situation full of potential downside. What then should compliance leaders do to get ahead of these risks?

Use data analysis to prioritize activities. Start using data to identify the riskiest areas where compliance resources should be allocated. This enhancement doesn’t require extensive additional resources but can help to maximize the efficient use of compliance resources already available. When we talk about using data analysis in this context, we’re referring to data analytics on global travel and expense reimbursements across, for example, that can identify unusual spikes in employee spending, or unusual explanations or justifications for travel and expense reimbursement requests. The same sort of approach can be applied to permits and licensing — that is, analyzing trends of spending and comparing current levels with prior periods.

Move to remote compliance reviews and investigations. With travel severely restricted, teams need to adopt a remote compliance audit model, with sufficient resources allocated to compliance activities across the world. Companies can invest in resources with multiple language skills and offer regular training, outsource to specialized firms where local language and knowledge is required, or use mixed teams to navigate this new reality of remote compliance reviews.

Avoid allowing business pressures to water down compliance requirements. These are challenging times for the commercial side of so many business lines. The temptation has increased to modify compliance programs and thereby accelerate grow into new markets or rejuvenate existing markets. But companies should agree to modify compliance processes only when objectively required and justified (in writing, of course) — and then only on a temporary basis. Some decisions are easier than others. Moving from live to online compliance training, for example. But removing training altogether for vendors, for example, or exempting them from Code of Conduct certifications, are far more problematic. And importantly, all employees should be reminded that although they may be working remotely under challenging conditions, they should use the company’s ethics line whenever they see (or sense) that something might be wrong.

Assess the practical impact of Covid-19 on compliance. As part of Covid-19 remediation actions, include questions about the impact of Covid-19 on workflow and functions. Ask employees how government closures have impacted them and the company, and how are the closures being dealt with. How are employees now interacting with government officials? Who are the officials? What is the process for dealing with them? What are the current procedures for selling goods or services to the government? And so on. Questions about employee morale are also important as part of any compliance assessment.

In today’s environment, where companies may be fighting for their survival, the temptations and pressures to stray into gray areas are enormous. This is a time when compliance leaders need to be vigilant, proactive, and most of all, able and willing to transform programs by doing more with less. Compliance alone won’t make an organization successful, but noncompliance can break it.


Amanda Rigby, pictured above left, is a Principal in the Chicago office of KPMG LLP, where she is a member of the Forensic Service Line. She focuses on investigations, regulatory compliance, integrity due diligence, and dispute advisory services.

Matthew McFillin, above right, is a Partner in the KPMG Forensic practice, leading the Fraud, Investigations and Disputes solution. He provides investigative and dispute services for attorneys and corporate management on a variety of matters involving financial statement fraud investigations, FCPA issues, government contracts, and business disputes.

Share this post


1 Comment

  1. All valid points and a sign of the times. One suggestion for data analytics on travel… expense reports may not be submitted for 2-4 weeks after the travel or expense has been incurred creating a problem for timely review. Depending on processes and systems, compliance can be included on international travel requests or bookings either as an approver, as a notification, or a periodic system report. This allows compliance to potentially identify unusual activity even before it occurs.

Comments are closed for this article!