An effective compliance program evolves with risk, and changes in the market are an important part of assessing risk. Given the unprecedented, rapid changes in the business landscape – internal and external – companies should assess their risk profiles and compliance programs often. Here are key questions to ask when doing that in light of these recent, rapid changes:
Layoffs and/or Attrition
- Has the company reduced its workforce or lost significant numbers of employees to attrition?
- Have losses affected gatekeeper functions like compliance, legal, finance and HR?
- Have you lost gatekeepers in markets with outsized compliance risk?
- Changes to internal teams and organization can affect a program’s operations and effectiveness. Having the right gatekeepers in place – and empowering them – is a key part of a successful compliance program.
Staffing & Operations
- Has your workforce changed from the previous staffing model? For example, have any business functions moved to remote work?
- If so, does this affect gatekeepers’ “eyes on the ground” in risky markets?
ERPs and Other Systems
- How automated are your financial controls?
- How much visibility do gatekeepers have to ongoing financial transactions, particularly if gatekeepers sit outside a risky market?
Products & Development
- Has your approach changed to product development? To the product pipeline?
- Have you released new products?
- Have you accounted for regulatory requirements associated with new products?
Customer and User Interactions
- Do you interact with customers in a new way?
- If so, do you use new tools or systems? Have you assessed the regulatory risks this presents?
- Has the company entered or exited markets? Where? What’s the risk profile?
- How has the company accounted for geopolitical risk?
- Does the company have a presence in Russia or Ukraine? Did it?
Vendors & Suppliers
- Has the company onboarded new vendors and suppliers to address supply chain challenges?
- Did those vendors complete and pass compliance due diligence?
- Were vendors high-risk? Have they been audited?
Partners & Ventures
- Have you entered new partnerships, launched ventures, started a subsidiary or organized a new entity?
- Has compliance or audit followed up to assess whether compliance integration has been successful?
- Have regulatory changes affected your operations?
- Have authorities investigated or taken enforcement actions against your competitors or industry or in the places you operate?
- Has the company considered any lessons from investigations or enforcement actions? For example, authorities have increased their focus on investigations related to COVID-19 relief programs.
Once you go through the risk assessment process, compare the answers to existing compliance controls and evaluate whether to add or enhance any controls.
Asking and answering these questions, and adjusting, when necessary, is important to build an effective compliance program in a world of frequent change.