Six senior compliance practitioners answer two questions about how they fared in 2020, from wrestling with new risks amid the pandemic to the most valuable lessons learned during a year rife with crisis:
Q1. What’s the biggest unanticipated risk the pandemic uncovered for you, and how have you dealt with it?
Meet the CCOs
University Chief Compliance Officer
Years in compliance: 22
VP, Chief Compliance Officer and CRA Officer
Hingham Savings Bank
Years in compliance: 9
VP, Chief Compliance Officer
Years in compliance: 12
Chief Compliance Officer and Privacy Counsel
Years in compliance: 15
SVP, Chief Compliance Officer
Option Care Health
Years in compliance: 19
General Counsel, Vice President, and Chief Risk and Compliance Officer
Years in compliance: 23
DISCLAIMER: The views reflected by the practitioners quoted are theirs alone and do not represent the views of their companies.
ROB CLARK: The biggest unanticipated risk that has been identified is the issue of communication. While our institution has embraced increased connection via Teams and Zoom, that cannot replace the value of more informal interactions that take place in hallways; around the water cooler; in the cafeteria; walking around campus; and in impromptu conversations that take place when participating in and attending large meetings, work-related social gatherings, and university sporting events. The absence of these opportunities has increased the feeling of being ‘disconnected’ from the ‘culture’ of the organization. While there is no scientific data to support this, the perceived risk through anecdotal comments and interviews is that individuals may be reluctant to ask clarifying questions about processes and procedures via email—questions that they most likely would have asked if they had the opportunity to do so informally and in person.
MARK CONSTABLE: I think there are two relevant answers to this question. The first is the change from an historically physical process and presence when it comes to operational matters. We process physical documents and work in an environment where we are face-to-face for meetings, discussions, and social interaction. COVID required a rapid adjustment to digital, remote, and video. Second, from a compliance standpoint, we were required to quickly review, comprehend, and implement procedures which incorporated the many COVID-related federal and state statutes regarding mortgage loan origination and servicing while at the same time training staff and keeping the board of directors well informed. The ability to rapidly adapt is essential and is easier to achieve when starting with a strong and established compliance management program.
LUIS KOLSTER: It is much easier to connect with people at different levels in an organization when you have face-to-face interactions. This applies to all members of the compliance team. They are trusted advisors to their business partners, and operating in a virtual environment can be a test to the strength of that partnership. I have been privileged to join Baker Hughes in 2020, and I have quickly seen how all company leaders and employees are committed to acting with integrity. After just a few months in the company, I have been able to connect virtually with all members of the company’s leadership team, and I have seen how the compliance organization is perceived as a true business partner at all levels.
KAREN MOORE: Transitioning very quickly to about 95 percent of our workforce working from home created increased risks in use of company equipment for personal use while also potentially exposing networks using unsecured connections. Working with our information security team, we were able to address this as a priority through communications and equipment and systems changes. At the same time, we identified a number of additional risks. As people spend more time working at home, we noticed an uptick in social media postings, and as financial pressures hit families, we were concerned about an increase in second jobs. Finally, and very importantly, the challenge of onboarding new hires during a pandemic and having them feel part of and commit to the company values has presented opportunities for creative approaches for the compliance program. We have readjusted program plans several times this year, updating policies, deploying training, and increasing the touch points with our associates to keep them informed and engaged.
CARI REED: Beyond the pandemic itself, the biggest unanticipated compliance risk was the rapid shift of our office-based workforce members to a work-from-home environment. We had to partner across multiple functions in our organization to establish secure, remote access to our systems; work through logistical concerns like provisioning and getting equipment like laptops to our employees; adjust policies and work processes; and train to the changes, all while ensuring we continued to be in alignment with HIPAA and information security standards. It was paramount to make sound decisions in short order, so we could continue to provide services to our patients and communicate with other providers in addition to meeting critical administrative business needs. Increased communications reinforcing our patient privacy standards and company policies in the remote work environment has been a constant as well since the start of the pandemic.
CHARLOTTE YOUNG: The impact on the ability to deliver our programs. We are an international development corporation, and much of our work is done in the field, face-to-face, helping people in the areas (for example) of human trafficking, agriculture, child labor, women’s empowerment, market solutions, climate change, etc. Our inability to travel and to meet with people has been a challenge for us. But we have pivoted with remote meetings and in some cases have simply pivoted to COVID-facing work.
Q2. What’s the most important compliance lesson you learned in 2020?
ROB CLARK: The most important compliance lesson learned is the value of interaction and collaboration. Many organizations acknowledge the risks of operating in ‘silos.’ People working remotely has shone a bright flashlight on that issue and further exposed organizational gaps. Fortunately, this has been helpful, as it brings to the surface those organizational issues of effectiveness, efficiency, and compliance that need to be addressed. It has also made evident those within the organization who are doing most of the heavy lifting and those who have been coasting along under the radar. The contribution and value added by each employee becomes clear and is no longer measured by just the time one warms a desk chair in the office.
MARK CONSTABLE: Remote work can disrupt what we used to consider a normal work environment when it comes to communication, training, and meetings; however, compliance work doesn’t slow down and wait for you to adapt. Compliance also doesn’t sit with one person. Continuous open communication between management and staff is essential when adjusting to sometimes daily developments on both a federal and state level as COVID itself developed. The other consideration, which is not new to compliance but highlighted with the demands we have seen in 2020, is documentation. Federal and state regulators need to see the strength of a compliance program and ability to adapt to ever-changing environments, and a well-documented trail of project plans, training, communication, and policy adjustments is vital.
LUIS KOLSTER: This year has been full of changes and challenges. One of the many things I learned in 2020 is that companies with strong values keep their employees engaged and motivated through tough times. While many employees are working remotely, it is very important to keep reminding everyone about the company’s expected behaviors of integrity and respect. Since I joined Baker Hughes, I have witnessed how the company’s leaders care about the health and safety of their staff and reinforce the importance of having open communication channels for employees to raise concerns, even in a virtual environment.
KAREN MOORE: Adversity can promote innovation and collaboration. There is a sense of all being in this together which has only strengthened the sense of unity within the company. I’m so proud of the resilience demonstrated by my colleagues, often under difficult circumstances. This year has highlighted the need for a compliance program to be able to quickly pivot to address risks arising from changes to our environment. It also strengthened our risk assessment approach to not only focus on the high-likelihood/high-impact risk quadrant, but also those unimaginable low-likelihood-but-high-impact risks that often languish in the lower quadrant of the heat map. Be prepared and be agile are the two lessons we learned this year.
CARI REED: Knowing and having the right people to go to in order to make important decisions quickly in the face of urgent needs was crucial to adapting. I green-lighted processes that I historically would have said presented too much risk, partnering with key leaders to discuss what doing so meant. It was important to get consensus and candid agreement on paths forward more than ever in such unprecedented times.
CHARLOTTE YOUNG: To be ready for the completely unexpected and to embrace it with the same amount of energy and devotion that you have for the things that are planned.
Ten things I’d like to see happen in 2021 (2020 in review)
- Currently reading
Ask a CCO: Compliance leaders share pandemic lessons learned