COVID-19 Compliance Aftermath: Have You Updated Your Compliance Risk Assessment?

Do you have a compliance risk assessment?  And have you updated it?

            As part of good management practices, every business should conduct a risk assessment so that it can, wherever possible, anticipate and plan for the risks that the business faces.  This, of course, includes legal risks. So, the first step of designing a compliance program is to  identify legal risks that are generally faced by every company, and those that are specific to an industry or a company.  For example, while every company should make certain that it complies with applicable employment laws, a company involved with a nonmanufacturing business like website design need not spend much time on an environmental compliance program.

            How do you identify the compliance risks for a company?  The history of the company or other companies in the same business would be a good starting point.  Often a compliance attorney can help by reviewing a “taxonomy” of legal risks with the company to identify those that are relevant.  But not every risk has the same significance.  For each item, there would need to be an analysis of the likelihood that the problem would occur, and the severity of the impact of the problem if it were to erupt.

            The impact of a possible violation would include both criminal prosecution and civil litigation. The consequences include not just criminal penalties and civil damages but also damage to a company’s reputation. Certain violations may go to the core of a company’s business, such as a food company that is convicted of selling unsafe products, which may essentially put the company out of business. Companies also need to contend with what is said on social media that may have a devastating impact even when only an accusation is reported, not a conviction.  If a company is a government contractor, it may find that it is “debarred” from doing business with the government.

            The risk assessment will consider the likelihood of violation both before and after a compliance program is put into place. The rules in some legal areas are so technical that an employee with no intent to violate the law may unintentionally do things that may expose the company (and the employee) to serious liability. The compliance program will usually train employees on their compliance obligations and impose various business controls to reduce the likelihood of violations, whether unintentional or otherwise.

            But a risk assessment is not something that can be done one time and then put on the shelf. It must be periodically reviewed to consider whether internal or external changes have altered the company’s risk profile. Has the company acquired another company or entered into a new line of business? Have new laws been enacted or court decisions rendered? Do the concerns of the public signify the need to focus on new areas of compliance?  The death of George Floyd and the Black Lives Matter should be a wake-up call to every company to refocus on its program of equality and diversity, and pay particular attention to unintentional discrimination.

            Companies may alter their organization to attempt to save money.  The company may move from a centralized to decentralized structure, or head count reduced with the result that certain compliance obligations may be forgotten.  Departments may be outsourced, with a loss of institutional knowledge and perhaps competence that will impact on compliance

And then there is the completely unexpected impact of a pandemic.  The virus will impact on virtually every area of business operations, and a company’s natural first reaction will be to focus on how to keep the business going.  But it must also do so in a way that is legal.  For this reason, it is imperative that lawyers or compliance professionals participate in decisions whether operations are altered in response to the virus.  In some situations, there will not be significant compliance implications, and the presence of lawyers or compliance professionals will not complicate or delay the decisionmaking process.  However, in other circumstances, legal consequences may be significant.  For example, if the disruption to the supply chain makes production difficult, a company may wish to align with certain competitors to coordinate purchasing (or manufacturing or selling).  While the move may make business sense, in normal times it would be a clear antitrust violation.  However, the FTC and Justice Department have announced their willingness to review proposed competitor cooperation on an expedited basis, and in 2020 have already approved several arrangements.

But the challenge is to identify when the compliance risk is present.  Every legal area should be reviewed with a subject matter expert to evaluate if the risk profile has changed.  A few examples:

• Americans with Disabilities Act:  How must medical examinations be conducted?  Is attendance still considered an essential job function?
• Antitrust: Are standards for competitor cooperation relaxed?
• Compliance: Have any aspects of the compliance program been weakened by responses to the pandemic?
• Contracts: Can the company avoid certain contracts based on force majeure? Or will customers or suppliers do the same to the company?
• Coronavirus legislation: Is the company aware of all legislation that may provide relief or impose new responsibilities?
• Corporate: Have all necessary disclosures been made?
• Corporate Governance: Are directors consulting with management about Financial impact of pandemic, liquidity, dividends, share repurchase, health and safety, operations, employees, compensation, shareholder relations, litigation risk if share price falls, public disclosures, supply chain, customers, suppliers, insider trading, cybersecurity, business opportunities, compliance (to name just a few)
• Dept. of Labor: Must the company grant paid sick leave?
• EEOC: Has there been an increase in complaints of adverse impact?
• Electronic commerce: Have states allowed electronic measures to substitute or in-person meetings or paper documents?
• Employee benefits: Have rules regarding pension withdrawals been followed?
• Environment: Have rules been relaxed?
• False Claims Act: The government is scrutinizing medical claims of government suppliers.
• FCPA: Would it be a permissible “facilitating payment” to pay a local official to allow a facility to remain open if otherwise allowed under local law?
• FDA/USDA: Any relaxation of inspection or labeling requirements?
• Insurance: Is business interruption coverage available? Is coverage for diseases excluded?  Will directors & officers’ coverage be available for suits based on virus-related business decisions?
• Patents: Can government require that patented technology be used by others?
• Privacy: Are state privacy laws and HIPAA still in force?
• Real estate: Can a virus-mandated business shut down be considered a condemnation?
• Security: Are provisions against hackers adequate?
• Tax: Can a state assert a nexus for taxation based on at-home workers?
• Trade Secrets: Are risks of disclosure increased as employees work from home?
• Worker Safety: Has there been retaliation against employees for exercising right to work in an environment free from recognized hazards?

These are just a few of the considerations that have arisen in the aftermath of the COVID-19 pandemic.  But they readily illustrate the point that every company should have a compliance risk assessment, and that risk assessment needs to be updated when conditions change.