Written by Theodore L. Banks
Do you have a compliance risk assessment? And have you updated it?
As part of good management practices, every business should conduct a risk assessment so that it can, wherever possible, anticipate and plan for the risks that the business faces. This, of course, includes legal risks. So, the first step of designing a compliance program is to identify legal risks that are generally faced by every company, and those that are specific to an industry or a company. For example, while every company should make certain that it complies with applicable employment laws, a company involved with a nonmanufacturing business like website design need not spend much time on an environmental compliance program.
How do you identify the compliance risks for a company? The history of the company or other companies in the same business would be a good starting point. Often a compliance attorney can help by reviewing a “taxonomy” of legal risks with the company to identify those that are relevant. But not every risk has the same significance. For each item, there would need to be an analysis of the likelihood that the problem would occur, and the severity of the impact of the problem if it were to erupt.
The impact of a possible violation would include both criminal prosecution and civil litigation. The consequences include not just criminal penalties and civil damages but also damage to a company’s reputation. Certain violations may go to the core of a company’s business, such as a food company that is convicted of selling unsafe products, which may essentially put the company out of business. Companies also need to contend with what is said on social media that may have a devastating impact even when only an accusation is reported, not a conviction. If a company is a government contractor, it may find that it is “debarred” from doing business with the government.
The risk assessment will consider the likelihood of violation both before and after a compliance program is put into place. The rules in some legal areas are so technical that an employee with no intent to violate the law may unintentionally do things that may expose the company (and the employee) to serious liability. The compliance program will usually train employees on their compliance obligations and impose various business controls to reduce the likelihood of violations, whether unintentional or otherwise.
But a risk assessment is not something that can be done one time and then put on the shelf. It must be periodically reviewed to consider whether internal or external changes have altered the company’s risk profile. Has the company acquired another company or entered into a new line of business? Have new laws been enacted or court decisions rendered? Do the concerns of the public signify the need to focus on new areas of compliance? The death of George Floyd and the Black Lives Matter should be a wake-up call to every company to refocus on its program of equality and diversity, and pay particular attention to unintentional discrimination.
Companies may alter their organization to attempt to save money. The company may move from a centralized to decentralized structure, or head count reduced with the result that certain compliance obligations may be forgotten. Departments may be outsourced, with a loss of institutional knowledge and perhaps competence that will impact on compliance
And then there is the completely unexpected impact of a pandemic. The virus will impact on virtually every area of business operations, and a company’s natural first reaction will be to focus on how to keep the business going. But it must also do so in a way that is legal. For this reason, it is imperative that lawyers or compliance professionals participate in decisions whether operations are altered in response to the virus. In some situations, there will not be significant compliance implications, and the presence of lawyers or compliance professionals will not complicate or delay the decisionmaking process. However, in other circumstances, legal consequences may be significant. For example, if the disruption to the supply chain makes production difficult, a company may wish to align with certain competitors to coordinate purchasing (or manufacturing or selling). While the move may make business sense, in normal times it would be a clear antitrust violation. However, the FTC and Justice Department have announced their willingness to review proposed competitor cooperation on an expedited basis, and in 2020 have already approved several arrangements.
But the challenge is to identify when the compliance risk is present. Every legal area should be reviewed with a subject matter expert to evaluate if the risk profile has changed. A few examples:
These are just a few of the considerations that have arisen in the aftermath of the COVID-19 pandemic. But they readily illustrate the point that every company should have a compliance risk assessment, and that risk assessment needs to be updated when conditions change.