Ingeborg Regeur, Senior Consultant at Laurence Simons Search discusses with Anna Romberg*, Principal Consultant at Anchor Integrity, the impact COVID-19 is having on compliance functions today.
Anna Romberg* founded Anchor Integrity, a compliance consultancy, in 2018 and is also the co-founder of the Nordic Business Ethics Network.
Ingeborg Regeur (IR): Good Morning Anna, thank you for taking the time today to talk to me about how COVID-19 is impacting businesses within your field of compliance. For you, what disruption has Covid-19 caused to the business and how have you responded to this disruption? What have you had to do?
Anna Romberg (AR): The most visible impact is that everything has gone virtual and it happened very fast. My last business trip was visiting a client in Germany at the end of February and since then I have worked from my home office in Helsinki. Being in the consultancy space I see that the companies I work with struggle with very different things relating to COVID, some are struggling for survival and cash flow and obviously that impacts project work as well whilst others actually see a surge in demand and also realize that their processes are not equipped to tackle the risks and challenges this pandemic causes to their sales operation and supply chains for example.
IR: Was your business and compliance team prepared for a global pandemic? If so how? Are there any new learnings or changes you have made from this initial preparation?
AR: Compliance teams were already, before the pandemic, use to working in global teams and a virtual space. However, we rely a lot on IRL interaction in terms of training workshops and investigations. Luckily the tools are there and these things can to a large extent also be done virtually. One client has been doing very innovative short videos and interactive training to fill the void of cancelled physical workshops. Strong networks and relationships are crucial to make the virtual reality work, I think we can learn a lot from using technology to stay in touch with the business and ensure that we provide real time support.
IR: With existing supply chains being interrupted, companies might have to urgently find new – and untested – business partners, how are you dealing with third-party due diligence?
AR: This is a great question, and actually an area where I have seen an increased demand for support. Many third-party due diligence processes do not cater well for ad hoc and urgent needs and this is something we must cater for. It is not acceptable that the business operations should wait for several days or weeks for due diligence results when there is a critical need. My main recommendation is to ensure that the third-party processes truly are risk-based and that formalities do not become a stumbling block and create a false sense of comfort.
IR: How has COVID impacted your team and way of working?
AR: I am usually out in the field, meeting clients and visiting local operations of clients and this is of course not possible at this stage. Going virtual is a challenge when you work with multiple companies, as all companies have their own way of tackling this. So for me it is to ensure that I remain relevant and can provide the support that companies need, in the way that they need it.
IR: As you have not been able to do any site visits, meet clients or visit local operations how have you dealt with this? Has anything had to be put in place to avoid non-compliance or misconduct?
AR: The companies I work with all have strict travel bans and visits to local offices are not allowed. In some cases, there have been struggles with investigations and, in particular, remediation programs and disciplinary actions. In a 'clean up' phase you want to be able to go on the ground and ensure that root causes are properly remediated. If a person is going to be dismissed, you do want to provide an opportunity for them to be heard in advance and somehow it feels more human to do it face-to-face. So in some cases, I do unfortunately see that dealing with misconduct and remediation is lagging a bit due to COVID. However, it is still important to manage the risks and ensure that business going forward is clean and transparent even if you cannot do things as you would have pre-COVID. There is no pandemic defense for misconduct...
IR: In conducting internal investigations, how can data be collected? How do you monitor this and follow-up on any complaints or allegations that arise?
AR: This is a challenging area when offices are closed and all employees are working from home. But as said, this is no excuse, and I cannot stress enough that the risk-based approach applies here as well. When a complaint or allegation is raised, it is important to understand the risks and ensure that any possible misconduct is prevented going forward, even if it may take a bit longer to get to the bottom of what happened in the past.
IR: More businesses are interacting online which can see an increase in cybercrime, how are you keeping up to date with your IT systems and preventing business interruption?
AR: I do not see the risk of cybercrime as a new one, this is something that companies have been struggling with for a long time already. What the pandemic has done is to make the weaknesses and improvement areas of IT security compliance programs very visible. For example, it is vital to ensure that the controls and processes also work with a distributed workforce. Just because people are working from home does not mean that the agreed processes for example change of employee or supplier bank accounts can be relaxed, in addition, companies have to ensure that employees are aware of how to treat confidential data even when they are not in the office. I think the idea of a distributed workforce is here to stay, and companies must ensure their IT systems and related processes and controls are tailored for this. A basic rule is 'trust but verify' and stick to the process!
IR: Thank you and finally, what would you say will be the biggest challenge for you and your team in the next weeks and months?
AR: I think one challenge is to keep business ethics and compliance on the agenda of boards and executive management teams. There are so many urgent topics and burning platforms that there may be a temptation to downplay your own role in compliance but the gatekeeper role of compliance is more important than ever, to protect the business and ensure that the decisions that are made today will not come and haunt the companies and the decision-makers after five years. As compliance we must take pride in being gatekeepers and for enabling companies to successfully grasp business opportunities in this 'upside down' world.
IR: Anna, thank you very much for your time today. Stay safe!