As I'm writing this sentence, Dallas County is about to go on a stay-at-home lockdown akin to what's in place in California and New York. Wherever you are, my guess is that you're feeling the same amount of uncertainty that I am. Everything is changing so quickly.
Of course, this too shall pass, and business will continue, but the overwhelming consensus seems to be that it will look different. And it certainly looks different right now.
It's in these moments, when things are uncertain and scary, that the pressure to compromise our values is especially intense.
Helping make sure that doesn't happen at your company is what your compliance job is all about.
So what should you prioritize as a compliance team right now?
We told you last week to be proactive. What does that mean exactly?
That is, for the next 30-60 days, what should you specifically do to protect your business—and to position yourself and your compliance team to be a part of whatever new normal emerges from this?
That's what we'll cover in this post.
Quick aside: for the rest of this (very long) post I am talking about how to do your regular compliance job. If your team has already been commandeered by your leadership for coronavirus response or something else at your company, then of course do that. If not, and you are trying to figure out what to do, this is for you.
If you need coronavirus-specific stuff, go to our Antiviral Campaign here and on Instagram @antiviralcampaign, which is where we’re putting all of the free coronavirus resources we make available. (Or just be on our newsletter; we’re sending them out there too.)
Focus on these two things.
I want to give you two practical things to focus on that will both help your business stay compliant and position your compliance team as a business partner—one that survives this public health and economic crisis and thrives in the new normal.
In that last sentence, the word "both" is critical.
That's because for the next 30-60 days you need to do things that not only protect your business, but are seen as obviously valuable by the business itself in a time of crisis.
A lot of compliance work will just be the first thing: for example, auditing is hugely valuable but really not something a business wants to focus on during a crisis. Same with policy management or Code of Conduct engagement.
All of that stuff is valuable! But none of it is even remotely on your business team's radar right now.
During a crisis, you need to not only do your substantive job, but position your team so that you can keep doing your substantive job throughout the term of this event—and beyond. That means it's not enough for your work to be valuable; your business has to see that what you are doing right now is valuable right now.
Got it? Cool. Here we go.
First, simplify and speed up approvals.
Your business needs to move quickly now. This does not mean you need to step back and let it be wheels off—don't do that!—but you do need to quickly rethink how you do approvals.
Examine every action where you act as a gatekeeper for the business. Aggressively streamline it so that if your business is trying to close a deal or take action you can decide quickly.
Practically, this means:
You might need to do this manually, even if you have an awesome automated workflow thing, if you know it'll take you days-to-weeks to get the software reconfigured.
Instead of having a committee evaluate and approve things, you might need to have just one person do it.
And you might need to accept a greater level of risk in favor of speed—kind of like how certain states here in the USA are now allowing restaurants to deliver alcohol. (That's a risk, and that's a compliance process!)
Bottom line: don’t worry about whether your approval process will scale six months from now: solve the problem in front of your face, and that’s being responsive now, in the middle of a crisis.
Here’s a good goal: imagine being able to tell your sales team that you will now give them same-day approval on things. Work backwards from that goal and develop the leanest possible process.
Focusing on this:
(1) Adds substantive value by reducing the likelihood that your high-risk processes will get ignored or end-run when they are even more critical. If it takes you three weeks to approve a third party, no one is going to use that process now—adapt so it doesn't get ignored.
(2) Adds obvious business value by letting you communicate how you are streamlining things to support business operations. If you're in the USA, I'd think about using that restaurant/alcohol analogy I explained above to frame it up, as that'll be an accessible way to communicate how you're being responsive to business needs.
Second, communicate operationally.
Again, your business is going to need to move quickly, making fast decisions, and that brings heightened risk with it. You need to tell them how to navigate the situation.
That is not going to happen by re-sending them links to your Code, policies, or traditional "compliance" training and communications. That stuff is too slow and it makes them do all the work of figuring out how to apply it—so they won't do it at all.
Instead, give your folks operational checklists, flowcharts, and other tools that help them stay compliant without having to think about it, so they can focus on doing the job the business needs them to do.
Here’s one of our examples:
When you deliver this stuff to the business, stick the landing by framing it the right way. For example, if you were delivering that invoice piece, you'd say:
"I know we're moving fast on things and everyone has a lot going on. I also know every dollar counts and we need to be careful what we approve. Here's a checklist that helps the team quickly get the right invoices approved."
"Here's a compliance communication about fraud and corruption!"
Framing it the right way makes sure they know to open it and use it. You gotta accept that no one is going to read anything about "compliance" for the near future unless it's clear how it applies to a decision they need to make, so make that application super obvious.
Focusing on this:
(1) Adds substantive value by targeting high-risk business process, making it easier for operational businesspeople to know what is expected of them and creating a record that you continued to focus on compliance in a time of heightened risk.
(2) Adds obvious business value by being about business operations instead of "compliance," so you're making their job easier instead of harder. If you've only ever done the school-style Code of Conduct/risk area stuff in the past, this will show an especially dramatic increase in value to your business.
And look: I know not everyone has operational checklists and flowcharts and so on. Like, unless you're the rare company that makes them yourself or you're already a Member of Compliance Design Club, you don't, because I don't know anyone else who specializes in this.
I also know that everyone is in a different position right now depending on your industry and company.
So here's the deal: if you're not a Member of Compliance Design Club and want to join but are in a tough spot with budget or whatever, use the button below to email us. Explain your situation.
No promises—it'll all be case by case—but we'll see what we can do to help you out.
What’s going to happen? Will this work?
Dude, literally no one knows anything now. I was on a video call last week with one of the smartest insiders I’ve met and he wouldn’t even guess at how all of this is going to shake out.
Basically, I can tell you two things with certainty:
First, passively waiting to see what happens is not a strategy. It is not a decision to be flexible or a team player; it is a decision to let things happen to you.
Second, a huge amount of what compliance teams do, including the type of stuff that can win them awards, does not have obvious value to their businesspeople.
Again, the key word there is “obvious.” I’m not saying it’s not valuable, I’m saying that it does not have obvious value to a businessperson. This is why every conference ever has a million sessions about business partnership and explaining what you do to the business and so on, because a lot of what a compliance team does is not at all obvious to the business.
And in a crisis, things with obvious value get prioritized over things that do not. The things I’ve outlined here are what I would do to protect my team over a 30-60 day period and position ourselves for the new normal.
Three practical steps to get started.
In closing, here's what to do next.
First, take a beat and mourn whatever you were working on two weeks ago. I know this sounds goofy, but do it—it’ll help you put that to the side, accept reality, and recalibrate.
Second, decide who owns what. Have a clear owner—a single person—who owns each decision on how you are executing the things in this post. You can have multiple folks be decisionmakers—this doesn’t all have to fall to one person— but it is one person per decision.
I can’t stress this enough: do not act by committee. Most committees exist at big companies because it’s easier to do nothing as a group than navigate the awkwardness and politics of having a clear owner for a decision.
If you take that approach now, everyone is dead in the water. Pick who owns each decision and let them decide so you can move.
Third, execute. Get out there and show your business what a critical partner you are so that both you and your business come out of this stronger. Use this post to get started.
Your business needs you to do this. And you can do this. Good luck.
PS: Also I know this post was super serious and not fun, so we've had the team collect various things that will give your brain a hug. Sit back and enjoy!
Just plain wholesome: the subreddit /MadeMeSmile.