“Without a sound policy on remote access and personal devices, companies may be left exposed to the growing number of off-the-clock lawsuits, data ownership issues, and cybersecurity risks associated with remote access and personal device use.”
– Robin Beardsley Mark, Partner at Burr & Forman
This week, learn about the DOJ’s expectations on corporate compliance programs concerning the use of personal devices and messaging applications—and get compliance tips for addressing this. Consider the shortcomings of stand-alone risk committees in the banking sector based on the recent failures of three institutions. Finally, explore three approaches for companies to address their compliance obligations in federal contracting.
Department of Justice Expectations on Corporate Compliance Programs Concerning Use of Personal Device and Messaging Applications for Business Purposes
Evaluating compliance and document retention policies regarding employees’ use of personal devices and messaging applications for business communications is crucial. When evaluating a corporation’s compliance policy, the DOJ considers tailored policies, data preservation and access, communication to employees, and monitoring and enforcement of compliance. To mitigate risks, companies should develop comprehensive policies addressing remote access, personal devices, and messaging apps—and conduct audits, research suitable solutions, implement clear policies, understand record-keeping obligations, train employees, and enforce compliance. Monitoring and disciplining violations are crucial regardless of the employee’s position within the company.
Compliance Tips for Unauthorized Communications Apps
It’s no secret that there has been a growing trend of using digital communication apps and texting for personal and business purposes. However, specific unauthorized platforms like WhatsApp pose compliance risks, attracting regulatory scrutiny and potential fines. Compliance officers face challenges in monitoring and addressing these unauthorized communications. The suggested approaches include implementing a blanket ban on WhatsApp, providing company devices restricting unauthorized apps, and using risk scoring to analyze and mitigate risks. In addition, regular message evaluation, analysis, and clear policies and training are recommended to ensure compliance. Despite the complexities involved, proactive monitoring can help employees stay within compliance boundaries and mitigate potential risks associated with WhatsApp usage in business settings.
Board-Level ‘Risk Committees’ are Great, Unless They Destroy the Company
Given the recent failures of Silicon Valley Bank, Signature Bank, and First Republic Bank, it’s clear there are shortcomings of stand-alone risk committees in the banking sector. The problem lies in the composition of these committees, with members needing more relevant risk management expertise. While federal law mandates stand-alone risk committees for large banks, the practice has voluntarily extended to companies across industries. However, the expertise and effectiveness of non-bank risk committees still need to be determined. Governance issues arise when audit and risk committees are separate entities, leading to potential oversight gaps. The liability for risk management oversight ultimately falls on the whole board. The failures of the banks mentioned above highlight the need for qualified members, clear delineation of roles, and adherence to legal limits in risk committee functioning.
Company Compliance: Three Ways to Consider
Companies can address compliance obligations in federal contracting in a few ways. The riskiest approach is to do nothing, which is strongly discouraged due to increased government scrutiny and potential legal consequences. The second option is a do-it-yourself approach, where an existing employee takes on compliance responsibilities as an additional duty. However, this approach may be compromised by time constraints and a lack of dedicated attention. The recommended approach is hiring a service professional specializing in compliance, likened to general business insurance. Despite the initial expense, avoiding costly non-compliance and potential legal issues is essential when faced with a compliance audit.