Fairwords Weekly: Compliance Expectations and Tips on Digital Communications, the Shortcomings of Risk Committees, and More
May 25, 2023
“Without a sound policy on remote access and personal devices, companies may be left exposed to the growing number of off-the-clock lawsuits, data ownership issues, and cybersecurity risks associated with remote access and personal device use.”
– Robin Beardsley Mark, Partner at Burr & Forman
This week, learn about the DOJ’s expectations on corporate compliance programs concerning the use of personal devices and messaging applications—and get compliance tips for addressing this. Consider the shortcomings of stand-alone risk committees in the banking sector based on the recent failures of three institutions. Finally, explore three approaches for companies to address their compliance obligations in federal contracting.
Evaluating compliance and document retention policies regarding employees’ use of personal devices and messaging applications for business communications is crucial. When evaluating a corporation’s compliance policy, the DOJ considers tailored policies, data preservation and access, communication to employees, and monitoring and enforcement of compliance. To mitigate risks, companies should develop comprehensive policies addressing remote access, personal devices, and messaging apps—and conduct audits, research suitable solutions, implement clear policies, understand record-keeping obligations, train employees, and enforce compliance. Monitoring and disciplining violations are crucial regardless of the employee’s position within the company.
Given the recent failures of Silicon Valley Bank, Signature Bank, and First Republic Bank, it’s clear there are shortcomings of stand-alone risk committees in the banking sector. The problem lies in the composition of these committees, with members needing more relevant risk management expertise. While federal law mandates stand-alone risk committees for large banks, the practice has voluntarily extended to companies across industries. However, the expertise and effectiveness of non-bank risk committees still need to be determined. Governance issues arise when audit and risk committees are separate entities, leading to potential oversight gaps. The liability for risk management oversight ultimately falls on the whole board. The failures of the banks mentioned above highlight the need for qualified members, clear delineation of roles, and adherence to legal limits in risk committee functioning.
Companies can address compliance obligations in federal contracting in a few ways. The riskiest approach is to do nothing, which is strongly discouraged due to increased government scrutiny and potential legal consequences. The second option is a do-it-yourself approach, where an existing employee takes on compliance responsibilities as an additional duty. However, this approach may be compromised by time constraints and a lack of dedicated attention. The recommended approach is hiring a service professional specializing in compliance, likened to general business insurance. Despite the initial expense, avoiding costly non-compliance and potential legal issues is essential when faced with a compliance audit.