Disaster Recovery Planning: Compliance Style

Most companies have a plan for disaster recovery of IT, real estate, and data – but what happens when you must respond to allegations of a violation of customer trust or compliance?  Does your organization know:

• What steps to take?
• Who needs to be involved in the decisions?
• When to notify the board?
• Who will conduct the investigation?
• How transparent you will be with shareholders? Employees? The media?

While the facts of the incident will vary, the need to respond quickly― and thoughtfully―is a given. To make that response effective, an organization must understand the key steps it needs to take after a serious compliance breach and the most important issues it must consider. Only then, can compliance officers and others charged with compliance responsibilities create an effective, executable plan for recovering from major ethics and compliance lapses, breaches, and disasters.

An Ounce of Prevention . . .

For anyone with compliance responsibilities, all efforts focused on establishing effective compliance control and education systems are the best foundation to any disaster recovery plan. These efforts can not only help prevent compliance disasters before they occur, they also serve to establish the best possible environment for managing recovery efforts should a compliance breach actually happen.

A good pre-event compliance environment exists when those charged with compliance responsibilities do the following before anything goes wrong:

• Understand the business
• Understand their organization’s culture and risk tolerance
• Learn how corporate culture is sustained, mended, repaired, rebuilt
• Arrange for regular assessment of ethics and compliance programs
• Set the tone for difficult discussions now

-Don’t appear only with bad news. Learn to strike a balance between “Chicken Little” and smoothing things over prematurely
-If action is needed, be thoughtful, balanced, and ready with a possible solution
-Learn to facilitate difficult discussions with respect and persistence

• Create a learning organization
• Work through discomfort and angst in discussing previous or smaller missteps and mistakes
• Consider establishing criteria and forums for examining ethics failures

And do not overlook the essential part pre-existing relationships between individuals in the organization can play. Understand who from the C-Suite, HR, and the rest of the organization will play a critical role when compliance issues arise and then cultivate a solid working relationship with all of them. Avoid personal relationships or feelings that might interfere with your judgment or objectivity. Though it can sometimes add extra stress, also remember to keep your detractors close and involved.

Choose Your Poison

Perhaps the most important part of compliance disaster planning is setting an intention for how to respond to a crisis before one occurs.  While the some of the choices below look less than wise, they often get made when the organization waits until something goes wrong to ask how it will handle a compliance breach.  Instead, ask now if a serious compliance breach occurs, whether your organization wants to:

• Execute a pre-determined plan?
• Wait and react to specific facts?
• Put on the blinders?
• Go forward and don’t look back?

Establishing an agreed upon response will help create a framework and boundaries for what to do if a compliance breach actually happens.

The Event: Uh-Oh, What Now

Because organizations are made up of people and people engage in the full spectrum of human conduct, compliance and ethics breaches will still happen despite organizational compliance best efforts. When a major breach occurs, an effective and timely recovery can be best achieved by addressing issues related to any needed investigations, remediation, and rebuilding of culture. Issues to consider include:

Investigation

• Have you previously vetted/engaged an independent investigator?
• Do you have established criteria to determine when the investigation is conducted in-house?
• Which department should be overseeing the investigation?
• Who will coordinate interested internal departments and communications?
• Do established escalation criteria exist to guide informing the board?

Remediation

• Who in the organization owns the job of remediation?
• Did any existing ethics and compliance controls work as they should have?
• Were there earlier red flags that were addressed or ignored?
• If disciplinary action is required based on personal behavior, who should have a voice in the outcome?
• Does a need exist to assure non-retaliation toward the whistleblower or witnesses?

Rebuilding Culture

• How much has trust been damaged?
• Does the organization need to design specific efforts to re-engage employees in the organization’s values?
• Who are the various culture stakeholders? Who of them should lead, follow, or partner in the process to engage with employees? 

Post-Event Transparency: How much is right

Finding the right amount of post-event transparency after an ethics or compliance breach presents deeply challenging issues.  Is complete transparency simply too risky?  Will keeping an event need-to-know only get in the way of critical learning opportunities?  Or should all events be embraced for what they can teach?

The topic is controversial, and reasonable minds disagree, especially because no single answer can cover every organization, culture, or occurrence.  Finding the right level of transparency requires an understanding of the specific culture of your organization along with consideration of involved constituent expectations― and demands.

Factors to consider when deciding what amount of post-event transparency fits for you organization include:

• Risk tolerance
• How public was the event?
• How much review is good?
• When does review cease to add value?

If you are the one making the ultimate decision about the appropriate amount transparency, base that decision on pre-event patterns and shared values. Then, if the decision you have made about transparency faces resistance, be prepared to discuss pros and cons, timeframe, and purpose.  And remember, it never hurts to prepare a Plan B to leverage learning and close out the event.

Conclusion

Compliance diasters come fraught with heightened emotion and organizational risk.  As a compliance professional, if you don’t actively participate in the conversation about what to do if and when a diaster happens, that conversation will happen somewhere without you. Or worse– or it may not happen at all.