By Heloisa Uelze, Felipe Ferenzini, partners of the Trench Rossi Watanabe Compliance group
With the declaration of a Covid-19 pandemic by the World Health Organization (“WHO”), governments in several countries have created laws and regulations that provide measures to deal with the new pandemic.
In Brazil, rules have already been published (and new ones should be published in the coming days) that increase risks in operations and must be mapped by the companies’ Governance, Risks and Compliance (GRC) area, such as:
• Emergency contracting, with waiver of bidding process for goods and services intended to deal with the health emergency
• Suspension of certain economic activities
• Duty of companies that provide services to the Public Administration to notify the contracting agency about cases of employees (including outsourced) who present symptoms or are diagnosed with COVID-19.
In addition, Brazilian authorities are likely not to stop investigations and operations during this crisis, as for example, the Federal Police has conducted at least three operations since March 17 (Operation “Tifeu” – on money laundering and drug trafficking / Operation “Assombro” – on embezzlement of money by hiring ghost employees / Operation “Zig-Zag” – on fraud in DNIT bids in the State of Minas Gerais).
Faced with this scenario of uncertainty and challenges, the integrated role of the GRC department of companies should be focused on the elaboration of an emergency strategic plan with a view to preventing and mitigating risks – some that probably may have already materialized – including, but not limited to, corruption (in its broad concept). Therefore, we present below some recommendations for measures that can be evaluated by companies to mitigate the impact of this difficult moment.
The role of senior management in strengthening the culture of GRC
To overcome the crisis, leaders must evaluate and guide the adoption of emergency measures such as:
• the creation of a crisis committee
• a review of risk matrix
• monitoring of legislative and operational changes
• changes in work routines (cancellation and/or suspension of meetings, travel limitation, isolation of employees and third parties – with remote work)
• reinforcement for decision-making, guided by the company’s ethical principles
• monitoring of high-risk suppliers
• application of disciplinary measures
• potential disclosure of exceptional measures to the market.
The whistleblowing channel is one of the main pillars of a compliance program and can be essential for mapping new risks in a crisis (e.g., excessive price increases, fraud, exposure of employees to risks). Therefore, special attention should be given to the complaints channel for receiving and handling complaints during this period.
Some companies and public agencies are already implementing reporting channels, specifically for crisis management. The Commission for the Defense of Human Rights of the Legislative Chamber of the Federal District (CLDF), for example, created a reporting channel with the objective of receiving reports from patients and civil servants about possible violations of rights related to COVID-19, such as the lack of health protection equipment for workers who cannot work remotely.
Risk assessment and internal controls
The impact of this dramatic situation on companies is still immeasurable, but the range of problems that everyone will have to face during the crisis is already certain. This is where the immediate need for a reassessment of the risks to which the company is subject comes in, so new measures will be adopted or existing measures will be adapted to the new reality of the company.
Risks not previously considered or classified as non-priority may become especially important in the new scenario. As a recommended alternative, in our view, the company can establish a crisis committee authorized to take the necessary measures. The company’s GRC department is very relevant in this process and should be called for discussion together with the other departments of the company, such as legal, HR and commercial, so that decisions may consider the impacts in each area of the company.
The crisis committee should work on preparing or reviewing the company’s risk matrix, considering risks such as:
• Corruption (e.g., fraud, conflict of interest, donations, etc.)
• supplies/logistics (e.g., including for each region where the company operates)
• contractual (e.g., with customers and suppliers)
• regulatory (e.g., new need of notifying certain governmental customers of COVID-19 cases within its workforce)
• labor (e.g., layoffs)
• financial and tax (e.g., waiver on tax penalties)
• business continuity (e.g., lack of capacity for remote work in case of quarantine).
During the crisis, the GRC must also adopt extraordinary controls to monitor the performance of the compliance program and conduct more frequent periodic reports to senior management.
Communication and training
There is the challenge of seeking coordination between the GRC and the other departments of the organization (legal, supplies, human resources, commercial, operational, etc.), in order to implement an emergency communication plan. This communication should be directed to different audiences, including from own employees, third parties, service providers, suppliers, but also, and mainly (in the case of companies that trade securities), the market itself.
The content of the communications may include:
- the risks arising from the virus
- the health and safety guidelines issued by the authorities
- the new corporate guidelines on home office work
- the interaction with the external public (e.g., customers and public officials)
- the review of risk matrix, the tests that must be carried out on the internal controls
- reinforcement for the use of the confidential channel (hotline)
- the message from the president (or respective leadership)
- other matters considered and defined as relevant by the crisis committee.
In view of the health authorities’ recommendations for isolation and home office, communication and training would be effective online, through webinars, explanatory videos and general circulation emails. It is recommended to extend the training to third parties (suppliers, service providers, business partners).