2020 was a particularly challenging year due to the coronavirus pandemic. For corporate risk managers and compliance officers, the year posed additional challenges. Organizations had to contend with an alarming rise in cyberattacks, supply chain constraints, employee health and safety, corporate governance and compliance, and diverse risks relating to or deriving from various content worlds. Nevertheless, if 2020 has taught us anything, it is that risks to a corporation, regardless of their source, are intertwined. Therefore, compliance officers and risk managers must collaborate with their organizations’ various departments more closely than in the past.
In order to provide guidance to organizational compliance officers and risk managers, we offer this overview of unique challenges posed by the last year and significant global trends when contending with these challenges.
Responsible investments – ESG (environmental, social and governance)
Major multinational investment corporations, such as Blackrock, are already making their investments in companies contingent upon a high ESG rating. Investors’ considerable interest in ESG is increasingly incentivizing organizations to prepare ESG programs relating to such topics as diversity, gender, fair wage terms to employees, donations to the community, environmental responsibility, corporate governance, etc. In 2021, we expect to see a steadily intensifying trend of corporations publishing, in addition to financial statements, ESG reports as an integral part of company reports. We advise organizational risk managers and compliance officers to examine their organization’s conformity with the global standards now being set in relation to ESG issues. This will enable them to be ready for the day when their company’s management decides to publish an ESG report and, obviously, wants to see that the company is attributing importance to these topics.
Privacy, privacy, and more privacy
The European General Data Protection Regulation (GDPR) came into effect in 2018, after about two years of anxious anticipation and preparations. It is already evident today that the GDPR’s inception date did not mark the end of an era, but rather constituted a kind of opening shot targeting a legal issue increasingly preoccupying private and public organizations alike. Data protection regulations throughout the world are becoming more stringent, more rigid, and more meticulously enforced. We foresee that in 2021 the challenging reality and differing privacy regulations between one country and another will prompt global organizations to formulate a uniform and comprehensive privacy program to comply with the most stringent standards in a “one-size-fits-all” format for all of their customers. We advise risk managers and compliance officers to take a proactive approach to this issue and ensure their organizations meet the requisite standards.
The work environment
2020 compelled dramatic changes in the work environment as we knew it. These include the massive shift of employees from working at the office to working from home, and the considerable use of video conferencing technologies. Upon the gradual return to offices in 2021, employers can expect to find themselves contending with this issue over a longer period, and may see this work model become an integral part of the organization’s culture. These questions, as well as others resulting from the coronavirus crisis, will have far-reaching implications on the nature of work in general and on employer-employee relations in particular.
For example, can an employer require its employees to be inoculated? Is it worthwhile to return to a single central workplace? How do employers cope with employees’ mental distress during this period? Given the fact that Israeli labor laws impose a very wide spectrum of obligations on employers, risk managers and compliance officers must also consider the exposures deriving from the dramatic change from the conventional work environment we were accustomed to in the past.
Additionally, the shift to working from home significantly heightened the risk of information leaks from organizations. Last year, the number of cyberattacks on organizations increased, which added the burden of contending with the repercussions of such attacks. Compliance officers and risk managers must collaborate closely with their IT departments in order to cope with this challenge.
Diversity, equality, and inclusion
The coronavirus pandemic made 2020 such a challenging year that it nearly overshadowed the fact that 2020 also marked one of largest civil protests in the history of the United States, the Black Lives Matter movement. This movement significantly spotlighted the phenomena of racism and social disparity. It is evident this new awareness will compel corporations to conduct themselves with greater transparency and responsibility when it comes to issues of equal opportunity and diversity when hiring employees. Undoubtedly, the public discourse will force corporations previously “oblivious” to these issues or who adopted a policy of “turning a blind eye” when controversial topics arose to re-examine the policies practiced in the corporation and to allow candid discourse enabling all of the organization’s employees to express themselves freely about these issues.
Assimilating IRM (integrated risk management)
The concept of IRM sprang into the consciousness of organizations, and compliance departments in particular, over the last five years. IRM is a process designed to improve decision-making in organizations by integrating risk analysis and holistic thinking about risks. This contributes to reducing the inherent uncertainty involved in organizations’ decision-making. To a certain extent, 2020 created a new and higher uncertainty threshold, but it would be a mistake to assume this was an anomaly. A review of future trends based on the STEEP model (social, technological, economic, environmental, and political) shows one should expect uncertainty to persist in the coming years. Consequently, in 2021, risk managers and compliance officers should ensure their organizations implement IRM processes related to decision-making and rethink their corporate governance through the prism of compliance and risk management.
Risk management related to the supply chain and third parties
In 2020, organizations discovered just how fragile their supply chains are. Regardless of the industry or sector, organizations contended with at least one of the following scenarios: an inability to obtain raw materials, an inability to purchase or import products critical to the business, or a drop in demand for products, causing slow inventory turnovers and liquidity problems. The lesson learned for 2021 is that compliance officers must take a holistic approach to risk management that goes beyond the traditional legal lens (such as risk of bribery or corruption among third parties). They must also take into account the organization’s supply chain needs and the operating risks it faces, such as suppliers’ business stability or the potential damage a supplier could cause to the organization’s reputation.
In 2020, a year characterized by considerable uncertainty, many corporations switched to a model of survival-driven management—handle anything that is urgent and put off everything else to another day. Thanks to this mindset, coupled with the shift from employees working in the office to working from home, many organizations either postponed or minimized the number of internal professional training sessions. In many countries, even in the first quarter of 2021, there is no expectation the conditions of social distancing and working from home will change in the near future. Even in “inoculated” Israel, work conditions have not reverted to what they were prior to the pandemic. Thus, we advise risk managers and compliance officers to make sure not to push professional training and instruction into a corner.
On another note, it is interesting to see how many popular marketing tactics are also finding their way into the field of professional training. For example, instead of holding group training sessions, important information about the organization’s procedures can be displayed on employees’ screensavers or in banners in employees’ personal zones through the organization’s IT systems. The blurring of borders between defined training times and daily routine work creates new challenges for the organization. However, it appears there is a creative solution compatible with the current situation.
Whistleblower protection policy
Whistleblower protection is already a customary practice in Israel and in the United States, and one can assume this trend will expand to Europe and Asia in 2021. For example, the EU Whistleblower Protection Directive will come into effect for the first time in 2021. According to this directive, any organization or any of its employees that fails to safeguard a whistleblower’s identity may face economic sanctions, reputational damage, or even criminal sanctions. A similar trend is also evident in Japan, Australia, and other countries in Asia and the Far East.
These countries impose fines on organizations that failed to implement compliance programs relating to whistleblower protection. Therefore, we advise risk managers and compliance officers to make sure their organizations have procedures in place that enable employees to submit internal reports safely and that safeguard whistleblowers. If, in the past, these mechanisms were simply “nice to have,” today the reality has changed and whistleblower protection has become an imperative.
Dr. Zvi Gabbay has extensive experience in representing corporations in various regulatory compliance and risk management matters. Eran Elharar is a senior associate in the department.