Compliance Risks Spurred by the Pandemic Can’t be Ignored

Episode Notes

Transcript

[Music]

Intro: Welcome to the Robert Half Legal Report where we discuss current issues impacting the legal profession related to hiring, staff management and more with leading experts in the field. Robert Half Legal provides lawyers, paralegals and support staff to law firms and corporate legal departments on a project and full-time basis. The Robert Half Legal Report is here on the Legal Talk Network.

[Music]

Charles Volkert: Hello everyone and welcome. I’m Charles Volkert, Senior District President of Robert Half Legal and the host of our program. Our guest today is Kim Dickerson, Managing Director for Risk and Compliance Solutions at global consulting firm Protiviti. With more than 30 years consultation experience within the financial services sector, Kim assists clients to build and strengthen risk management frameworks, test for regulatory compliance and assess and enhance control environments. Kim, welcome to the show.

Kim Dickerson: Thank you so much. It’s really great to be here.

Charles Volkert: Excellent. Well Kim, thanks again for joining us and amid the far-reaching disruptions caused by the pandemic, law firm and legal department leaders have been laser-focused for many months on safeguarding client relationships, maintaining seamless delivery of legal services and supporting an engaged and productive staff. As a result, today’s law firms and legal teams are really functioning much differently than they ever did a year ago. Changes in operational procedures triggered by remote work arrangements, the introduction of additional outside vendor relationships to support supply chain concerns and countless new regulations are just a few critical areas where legal teams have adapted their efforts to keep business moving forward.

As they work to manage these and other health and business continuity matters, which they’re facing every day, this growing area of compliance and risk is something they simply can’t ignore that’s the topic of our program today and we’ll explore today’s heightened regulatory risk environment, effective approaches to determine if compliance practices are keeping pace with the shifting requirements and examine strategies to ensure compliance programs remain up-to-date and effective.

Kim, during the past several months, we’ve seen a number of legal trends emerge as a result of the pandemic such as significant growth in remote work, heightened employment and health-related litigation, increased bankruptcy filings and much more. How have those changes across the business landscape driven by the pandemic triggered new compliance risks for today’s professionals?

Kim Dickerson: Well, these are certainly unprecedented times but I often wonder if some of the changes we’re seeing right now in how we’re working were really already starting to happen but were accelerated by the pandemic, but in any event the changes we’ve experienced are definitely testing the strength of our operational processes. I’m sure there are many companies that had a business continuity management plan somewhere on a shelf that somewhere in that deck included a black swan event that covered, say, a global pandemic. But, in most cases, over the course of a few days, we all moved to a fully remote work environment and the impact was significant and not at all expected.

It changed things that were big, it changed things that were small, everything from how we communicate with one another to how we share and access information both internally and externally and that opened up a whole new set of risks around security and privacy of data.

As our needs have changed so too has the list of third-party service providers. We’ve begun thinking about questions that we have never thought about before like priorities including the health and safety of our employees and what requirements we’ll have to adhere to and how we reopen our offices, what needs to be in place in order to be compliant with local and state rules and regs around office reopening and whether or not we’ll require or encourage our employees to be vaccinated, how things like safe public transportation may impact those employees that are located in densely populated urban centers. It has changed fundamentally the things that we do and how we’re working and the things that are on the minds of corporate managers.

I think about the financial services industry where I spent a lot of time and the federal stimulus spending that has been provided to support businesses that were impacted by COVID has really put a strain on banks to fast-track loans that were likely to have a pretty long tail on the work. There are requirements and triggers that will move those loans to forgiveness and that forgiveness process will have to be managed and I’m certain there will be some additional work around investigation of fraudulent applications for that relief.

(00:05:14)

Then lastly, I’ll add that the change in administration in Washington is widely expected to usher in a return to regulatory compliance enforcement and particularly around consumer laws and regs and we’ll need to plan for that. So, there is no shortage of topics that managers need to consider.

Charles Volkert: Well, it’s interesting, your points Kim, that are so spot on and your great career in this risk and compliance area but that black swan moment happened and really drove everybody to take new things into consideration very, very quickly as you pointed out. Maybe touch a little bit in greater detail on what you believe from the new administration now that that’s in place. Are you going to be seeing related impact on additional compliance enforcement as a driver behind growth in focus on compliance and the simple demand in that area?

Kim Dickerson: I certainly think that most financial services industry risk managers are expecting it. There wasn’t a lot of enforcement during the last four years. As a matter of fact, one of the regulatory agencies, the CFPB, that was set up under the Obama Administration changed the board of directors, board of commissioners and there was a market decrease in enforcement on CFPB related laws and regs and I think it’s broadly expected that the change in those associated leaders of the regulatory agencies particularly the prudential regulators will mark a return to enforcement activity.

I think most banks are gearing up for it and many of them have been through a few cycles so they have a good infrastructure around regulatory compliance but this will, I think, mark a return to the time five or six years ago when we saw huge enforcement to protect consumers from a laws and regs perspective.

Charles Volkert: I would certainly concur. I think from our in-house counsel relationships and our law firm relationships, we’re seeing them really increase conversations with the financial leaders of those organizations and prepare for an increased demand in this area. Kim, you mentioned the remote workers and the increased amount of remote workers and that’s certainly something we’ve also seen in the legal sector. Technology risks have been particularly compounded by the surge of professionals working from home, not only do legal managers need to manage the inherent security risks but also protect confidential client data that is being transmitted and accessed remotely. In addition, those legal professionals are confronting a significant uptick in directives being introduced including data privacy as you mentioned earlier, as far as contract matters and really beyond.

So, compliance with expanding regulations is a key priority that many legal professionals are facing, what are you seeing in that sense, Kim?

Kim Dickerson: Well, not only are compliance risks growing but the art of first identifying the set of risks that exist and then understanding the potential impact that risk has on your business and then putting processes in place to manage and measure those risks has become a key initiative across industries and this is certainly heightened by our largely remote workforce and restrictions on travel that have forced what would have been in-person discussions on highly sensitive matters into video platforms like Zoom and Teams and others.

When I think about some of the things that have changed and are more likely to be difficult to do in this remote environment, I think about things like conducting due diligence on potential external vendors and effectively managing those vendors both from a performance perspective but also from a contract perspective and understanding exactly what, if any, new compliance regulations may apply.

I think about monitoring and managing security and privacy risks at a time when digital crimes are rising and how many of our operational processes have changed. In most cases, what I see at many of my clients is that changes were really forced on us at the beginning of the pandemic out of necessity. We all did what needed to be done in order to keep the lights on and keep driving the work forward. There just wasn’t time for us to go through a deliberative process to redesign all of our core operational processes and look at the existing list of controls to see how they should have changed.

(00:10:08)

But now, 13 months into our remote work experiment, we have seen many companies that have announced either the continuation of remote work or some hybrid. The latest polls have about 60% of companies that believe they’ll have a hybrid workforce going into next year and that puts a light on the idea that some processes need to be redesigned to remain efficient and to be well-controlled.

Lastly, I think about what training needs to be performed for employees to understand these new operational process requirements and what the new compliance protocols may be.

Charles Volkert: I mean, tremendous insights, Kim. You just think about all of the things that a business leader needs to take into consideration, how many you hit and what’s really going to be important going forward. In my experience, one of the key compliance challenges that law firms and legal departments face is remaining current on changes in the dynamic regulatory environment. In many instances, organizations appoint an individual to continuously monitor news, headlines, pending legislation, government websites, et cetera, and identify regulatory updates and flag when those policies and practices need to be modified to remain compliant.

What strategies have you found to be most effective in determining if compliance programs are keeping pace with the new regulations and business realities and can you outline maybe some critical steps for our business leaders that they should be taking?

Kim Dickerson: Well, this is definitely an area that I’ve seen evolve over the last decade or so and the ability to access and understand shifts in the regulatory landscape are far more advanced today than they ever have been. When we think about compliance risk, we’re really talking about protecting an organization’s reputation. We’ve seen the lack of compliance in the financial services industry as an example have just a devastating impact on corporate brands.

It becomes imperative that organizations keep up to date on emerging compliance mandates and heightened enforcement and that enforcement includes regular compliance audits by regulators who are looking at both the design and effectiveness of compliance programs. Best practices that companies I’ve worked with have now deployed include maybe first and foremost assessing the risks on your company and understanding how and in what ways changes to laws and regs will impact you or how new laws and regs may impact you. It almost always includes appointing an owner of compliance oversight and management. Depending on the size of the organization, this may be a single person or a single technology tool or it could be a fully staffed center of excellence. If I think about this financial services industry as an example, this encompasses the entire second line of defense and those teams can be enormous.

Secondly, having a defined system to monitor regulatory news and headlines, pending legislation is really important and again, I’ve seen this span from having subscriptions to regulatory news feeds and compliance associations all the way to having lobbyists on Capitol Hill that are relaying information real time as regulations are designed and debated. I think the important thing here is to have a systematic way to identify and understand new laws and regs and changes to laws and regs that impact your business.

Companies have to start with a list of all of the regs that impact their business and then know how those changes impact them and how new regs are added that could impact you and this usually requires a pretty well-defined change management process so that as new changes are made to the inventory of laws and regs, they can be introduced into the operational process environment in a way that’s both timely and efficient.

I’ll say, technology vendors have been very active in developing software that can strengthen compliance management. These programs track and report on non-compliance, they can track and manage remediation efforts, and it really does give managers a new set of tools that they can add to their toolbox.

Then, once the inventory of applicable laws and regs is established, employees need training on what those compliance requirements are and how the updates will be rolled out. Employees need to understand how they perform their operational processes in a compliant way and so, that training needs to be specific.

Then, there should be regular reviews or audits of those processes and controls to understand where there could be instances of non-compliance and those reviews generally are done internally and in advance of any audits that are performed by regulators or any other external third parties.

(00:15:14)

Charles Volkert: Well, that’s great, Kim. Another outstanding list is you just think about all of the moving pieces. I know that protection to confidential client or customer information is among the top compliance risks for legal managers and also for business leaders in many other sectors. As you think about that risk, what are other areas of an organization that are most susceptible to compliance risk and maybe share with our listeners how a company can identify and prioritize risk factors.

Kim Dickerson: Sure. Organizational risk varies broadly across companies and it’s influenced by a number of structural attributes like the industry that you operate in, the size of your company, the geographic footprint but there are a number of risks outside of compliance that are faced to some degree by every business and those include legal risks and financial risk, reputational risk, business continuity risk. As you mentioned, risks specific to data privacy and new mandates at both the state and federal level have really shown a spotlight on the topic of data security and privacy.

I mentioned earlier that compliance with health and safety mandates will likely be a new and important frontier for all of us to think about as risk managers but when we talk a bit about compliance risk assessments and how important it is, I think the starting places are to really understand the current compliance landscape and points where the various regulations touch your business and your operational processes, having an inventory of your current compliance controls and the processes in place around that control management and then certainly, identifying any gaps between existing controls and required controls based on changes to the regulatory landscape and prioritizing gaps and the risks and understanding the potential impact of any kind of compliance failure would have on your business, how that may impact you. It could be from the standpoint of revenue, it could be damage to your reputation or damage to the value of your business, it could have a risk to your supply chain or to your customer relationships and certainly, it could result in financial fines and penalties.

Then, based on that list of prioritized risks, implementing changes needed to control and strengthen the control environment and the process that will be used to identify and address gaps is an important part of any risk management program. Regular updates to your risk assessment and adjusting your compliance program as you need, that is a living process. It’s not a point in time exercise. So, that idea of having more dynamic risk assessments where you’re continuously looking at and monitoring risks versus doing a risk assessment, say at the beginning of the year, is a move in risk management across industries that we’ve seen.

Charles Volkert: Well, that’s great information, Kim, and we really appreciate that. We have much more to discuss with you about how to manage growing compliance risks and requirements. But first, let’s take a quick break.

[Music]

To find, hire and retain the best legal professionals, it’s critical to have a sound hiring strategy in place. Robert Half Legal works with law firms and corporate legal departments to create effective staffing plans that can adapt to changing workload levels, realize significant cost savings and improve the overall management of human resources. We offer a wide range of resources to assist hiring managers and job candidates, including our annual salary guide, industry leading workplace research and valuable interactive tools. For more information, call us at 1-800-870-8367 or visit roberthalflegal.com.

[Music]

Charles Volkert: Welcome back to the Robert Half Legal Report. I’m Chad Volkert and with me today is Kim Dickerson, Managing Director at Protiviti. We’ve been discussing expanding compliance risks and challenges in today’s dynamic business environment. Kim, earlier you briefly talked about growing compliance risks associated with third-party relationships. Which are on really the rise as many companies seek new suppliers to help address business disruptions during the pandemic and post-pandemic? For example, many legal organizations have looked to tech focus outsourcers to provide platforms to support remote workers, healthcare companies have relied on vendors to expand capabilities through telehealth resources, can you share your insights on managing third-party risks? Are there particular components of a vendor risk management program and framework that can help organizations strengthen their compliance efforts?

(00:20:32)

Kim Dickerson: Well, I guess I’d start by saying regulators have made it clear that companies cannot delegate risk management responsibilities to third-party vendors. Managing risks and ensuring compliance with external vendors is a critical part of any organization’s overall compliance program and the effectiveness of that program. As you mentioned, our businesses have really changed over the past year and many businesses have engaged new vendors to solve supply chain issues and other business continuity challenges.

Companies must have a proactive vendor risk management program that includes performing those risk assessments in order to identify and manage compliance risks with external vendors and performing in-depth due diligence to evaluate potential risks, both strategic and reputational as well as transactional and operational and having an ongoing and comprehensive risk monitoring and review process, there’s been increased focus on companies performing third party compliance audits at their vendors and certainly leveraging technology and resources around automation that can facilitate the risk monitoring and review of third-party vendors.

Charles Volkert: That’s great, Kim, and it’s interesting, I know productivity is involved in a lot of review of in-house counsel’s vendors and where that data is and doing those type of assessments, which is really helping general counsels as well as their outside counsel and other vendors that may really be in a position to have highly confidential data and need to make sure that’s secure. Also, a critical part of vendor risk management relates to contractual issues. It’s essential that organizations from the very start clearly state contractual expectations with all vendors beyond outlining products, services and delivery timelines, written contracts should include specific regulatory requirements that require the vendor to meet certain guidelines including privacy and security obligations, how data is collected, stored and retained, also consider including a right to audit clause in the contract that enables you to examine outside provider’s compliance with contractual terms and expectations.

Kim, I’d like to follow up on something you mentioned a bit ago dealing with technology. How are tech applications such as digitization, advanced analytics and AI facilitate in compliance risk mitigation and strengthening compliance effectiveness?

Kim Dickerson: Technology and specifically automation provides enormous benefits for an efficient and cost-effective risk management program. I mean, I think back after the financial crisis as an example where many of the banks and companies that support banks managed compliance risk through adding bodies and not looking to use technology that was available to them. But again, since that time, there has been so many advances in technology that it makes the choices available to us just so much broader than it has been in the past.

We have today cloud solutions that can improve security and privacy and compliance and allow for better control over data integrity and then there’s just a plethora of automated compliance software programs that track legal, industry, government and other regulations as they’re changing and being introduced. They can provide real-time alerts for control failures and offer suggested remedies and many software programs today are powered by Artificial Intelligence and machine learning which automatically learn and adjust to the environment as they’re operating and those can really automate risk and compliance processes and provide for continuous updates that give employees and managers real-time visibility on enterprise-wide risks and compliance issues.

There are a number of vendor risk platforms that facilitate the due diligence process and can continuously monitor security and privacy in your third-party vendor environment. I think these are really key resources to managing compliance and security matters both internally and with third-party vendors in a cost-effective way.

(00:25:10)

Charles Volkert: Excellent, Kim. Additionally, as new regulations are introduced and policies and practices are adjusted, I’d like to underscore best practices for overall compliance management. Certain at number one, ongoing monitoring of all compliance processes and policies to identify weaknesses, risks, out-of-date practices. Number two, I think about periodic audit of compliance systems, policies and procedures. Three, and you mentioned this Kim, the ongoing training, education and communications so employees fully understand compliance policies and their procedures. Number four, embrace and leverage tech resources that can facilitate compliance activities, leverage automated and accurate real-time monitoring and reviews and finally, promote a culture of compliance throughout the organization, communications, collaboration, reinforce that all employees are responsible, accountable for compliance and encourage transparency and ultimately honesty.

But Kim, you’re the expert, certainly more than I am, so I guess I would turn to you for any closing thoughts or anything you wanted to highlight further with the audience today.

Kim Dickerson: Well, thanks for that. I think that was a great list. The one thing that I’ll add to it though is really this idea around dynamic risk assessments and I know many of us who have been risk managers for a while are accustomed to that beginning of the year polling of our senior leadership and department leads and identifying our risks that we plan to manage throughout the course of the year.

If there’s one thing that we’ve learned over the last 13 or 14 months is that the environment that we live in and work in today is completely dynamic. The risks that we thought that we were going to manage at the beginning of 2020 for instance turned out to be completely different than the list of risks that we actually managed. And, so, this idea about having a dynamic risk assessment which is really just the process of continually observing and analyzing risks in a rapidly changing environment and having a system in place to roll those risks into your review and management process. I think that is a lesson that we’ve all had to learn kind of real-time but provides us with a much sharper list and much more relevant list of risks that we need to be willing to and able to manage.

Charles Volkert: Great additional thoughts, Kim. Thank you and with that, we’ve reached the end of the program. Hard to believe it went quickly, but, Kim, thank you so much for joining me today and sharing your knowledge and insights as well as guidance with our audience. Before we close, how can our audience contact you and where can they obtain more information?

Kim Dickerson: Thank you so much, Chad. Listeners can reach me at [email protected] and they can find additional information on our website at protiviti.com. It was a real pleasure to be with you today.

Charles Volkert: Excellent. Well thanks again, Kim, and our listeners can reach me at charles.volkert, that’s V as in Victor O-L-K-E-R-T at roberthalf.com and you can visit the Robert Half Legal website for additional information on legal, career and management resources including our latest salary guide for legal professionals at roberthalflegal.com.

Again, thanks to you Kim for all of the great information and content and thank you to our audience for listening. Join us next time on the Robert Half Legal Report as we discuss important trends impacting the legal field and legal careers.

[Music]

Outro: The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Robert Half Legal, Legal Talk Network, or their respective officers, directors, employees, agents, representatives, shareholders or subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.

Thanks for listening to this podcast. Robert Half Legal connects highly skilled candidates with the best positions in the legal profession. If you liked what you heard today, please remember to rate us in Apple Podcasts. Also, follow Robert Half Legal and Legal Talk Network on Twitter or Facebook. Join us again for the latest information in the next edition of the Robert Half Legal Report here on the Legal Talk Network.

Robert Half is an equal opportunity employer including minorities, females, people with disabilities, and veterans.

[Music]

Podcast transcription by Tech-Synergy.com