Compliance at the best of times is often met with sighs and feelings of burden and “we need to do it because we’ve been told to” attitude. In a COVID-19 world, there is an even greater chance of this reaction when we consider there are so many more important things to do and worry about. Yet compliance is one of the most critical functions when it comes to managing and defeating COVID-19.
Compliance means conforming to “rules”. The rules applying to an organisation are referred to as “Compliance Obligations” and consist of two main types:
Rules that an organisation has to comply with being:
-
- External Regulatory, covering laws and regulations
- External Contractual, covering rules written into contracts we have with other parties
We refer to these as “Compliance Requirements”.
Rules that an organisation chooses to comply with, which consist of:
-
- External standards
- Internal policies, codes of conduct, internal service level agreements and the like
We refer to these as “Compliance Commitments”.
So what are these compliance obligations for?
Fundamentally, compliance obligations are there to ensure human and organisational behaviour stays within the risk appetite of the jurisdictions we operate in (regulatory obligations), within the risk appetite of parties who we are transacting with (legal compliance) and within the risk appetite of the organisation itself (compliance commitments).
It is critical organisations do not drop the compliance ball during this difficult period.
Compliance-based compliance and ethics-based compliance
Compliance-based compliance focusses solely on compliance requirements – things we have to comply with. We do the minimum to comply and that’s it. Our focus is meeting the rules.
In the COVID-19 world, we are seeing this based on peoples’ behaviour that follows what latest government rules are put in place. These people are the last ones to have a drink before the bars are shut down. The comply because of the rule, not because of the reason for the rule. This behaviour reflects no concept of why we have compliance requirements. We are having social compliance requirements put upon us in order to manage the infection risk of COVID-19 and to ensure we operate within what is deemed to be society’s (manifested through government views) risk appetite.
Ethics-based compliance focusses on rules that reflect our personal and organisation values where these exceed the compliance requirements. This demonstrates that we fully understand the reason for compliance obligations, for the management of risk within risk appetite.
As a family based in Sydney, Australia, we decided to substantially isolate 8-10 days prior to being ordered to by our government including taking our kids out of school, mainly to ensure we were not part of the infection chain. We were lucky we could work from home and substantially isolate with our children.
This is ethical compliance, based on our own internal rules (that were not that popular with our kids in the initial period!). We have friends who are doing as much as they can for as long as they can based on government rules – this is compliance-based compliance. And then sadly there are those that choose not to comply with the government’s compliance requirements and arrests and fines are the result.
So how does compliance and COVID-19 fit together and affect each other?
1. Method of implementing and enforcing minimum controls across society
Initially, as did many other governments, the Australian Government gave recommendations for behaviour. This was on the hope that the majority of the Australian public would apply their own “ethical” compliance and “do the right” thing.
Unfortunately, the level of ethical compliance for many was woefully lacking and social distancing was not being respected. This then lead to compliance requirements being imposed with the force of law and threat of fine and imprisonment.
The whole purpose of this is to ensure minimum controls over COVID-19 infection risk are in place and working. Compliance is there to protect us!
2. Deferred compliance changes
We have seen a number of regulators deferring the implementation of new regulatory regimes in response to COVID-19 in order to give relief in these difficult times, something they should be commended for! These are for compliance requirements that are of less importance than the current crisis. We need to change our compliance projects to defer the work for more important matters.
3. Adding new compliance requirements and commitments
We are seeing a raft of new compliance requirements being imposed almost on a daily basis, primarily around social distancing and isolation. Also, in financial services, we are seeing a range of government-led compliance changes to relieve financial suffering to customers. In the home rental space we are seeing new compliance requirements to protect renters from being evicted.
4. Increasing risk of non-compliance of existing obligations
COVID-19 has increased the risks of non-compliance in many areas. For example:
- HR practices of standing down staff may breach employment law
- Working from home has increased the risk of breaching data privacy laws
- New rules around the treatment of financial services customers has increased the risk of breaching conduct laws
What does this mean for compliance management during COVID-19?
Here is a checklist of compliance-related matters you need to consider in the current COVID-19 climate:
- Are your compliance obligations being kept up to date so that you are aware of what applies in what jurisdictions at any one time?
- Are your staff being made aware of the changed obligations on a timely basis?
- Are you obtaining evidence and attestations of compliance with the new obligations from your staff form their decentralised locations?
- Have you reassessed the risk of non-compliance from your changed operating model, particularly based on many staff working from home.
- Have you carefully considered the compliance obligations that maybe breached before you make COVID-19 response decisions, such as standing down staff?
- Are you making sure that all other compliance management functions are continuing and not being forgotten about as we react to COVID-19?
- Are you using your compliance framework and compliance system to advise staff of changes to our ethical compliance requirements (internal standards and policies) and obtaining their attestations and assurance that all staff are complying.
- Have you assessed how working from home will impact the compliance process and made changes accordingly?
All of this adds another layer of effort on already stretched compliance resources. Managing compliance and related compliance risks is no easy task and is made harder in the current environment. It is critical organisations do not "drop the ball" during this difficult period as the repercussions will only exacerbate the impact of the current situation.
Don’t take your eye off the compliance ball!
Feel free to speak with us if you need assistance in managing your compliance in this COVID-19 world.
What's Next?
We have scheduled two new live webinars on May 12th, one for APAC and one for UK & Europe, so you can join the session more convenient for you. Save your spot to learn how Protecht.ERM can help you redefine you compliance management.