The Ethics & Compliance Initiative hosted its annual conference this week, including a panel discussion about Russia’s war against Ukraine and its long-term implications for corporate ethics and compliance. The speakers spooled out a bundle of useful observations, so let’s take a few minutes to recap those points and ponder them a bit more.
The speakers were Leo MacKay, head of ethics and enterprise assurance at defense contractor Lockheed Martin; and Luke Dembosky, a partner at law firm Debevoise & Plimpton. (With an assist by Michael Volkov, a friend and fellow compliance thinker who moderated the discussion.)
The group first talked about some of the immediate challenges in complying with new sanctions Western governments have slapped against Russia. What struck me most was how all three speakers used words like “scramble” and “pivot” to capture how quickly compliance teams need to respond to the obligations here. Global businesses now face a blizzard of new sanctions rules, and that blizzard isn’t likely to relent any time soon.
An astute compliance officer will need to anticipate what those new sanctions mean for your company’s larger operations — the “second-order effects” to your supply chain, MacKay said. For example, the company might need to cut ties with some third parties, or pay more for materials and components sourced from elsewhere. Those are exercises in third-party risk management, and compliance officers should consider how they can leverage their experience with third-party risk for these emerging challenges.
“What have you learned in due diligence for anti-corruption… that you can apply to control your supply chain?” MacKay said. “The higher up you are in your supply chain, the harder that becomes, but that’s the question you have to think through.”
MacKay is correct. From his point, we can then identify a few supply chain risk capabilities that companies will need to have in our current world:
- Due diligence skills, to identify your third parties and assess their risks to you;
- Screening capabilities, to match your third parties against the ever-changing list of sanctioned persons and companies;
- Contract management, to enforce compliance expectations onto your immediate suppliers and down into the lower tiers of your supply chain;
- Scenario planning, to understand which of your suppliers truly are critical and what the consequences would be for your operations if those suppliers were suddenly dropped;
- Inventory control, to assure that the business has enough of its critical materials components in the event of a disruption.
Of those five capabilities, the first three are very much in the compliance function’s wheelhouse. The latter two belong more to a procurement or logistics function of some kind — but one can see how compliance and procurement must work together to weave all five into a single risk management effort. Sanctions compliance has supply chain implications, and vice-versa. Risk assurance teams will need to understand what those implications are, and then communicate those issues to senior management and the board so those groups can adjust their business strategy as necessary.
Thoughts on Cybersecurity
Another line of discussion in the webinar was cybersecurity. Western businesses need to be on heightened alert for cyber attacks that Russia might launch against us — but what does that mean at a practical level for compliance officers? How are you, a decidedly non-IT function, supposed to help?
Begin by understanding that cybersecurity is a business risk with compliance implications, rather than a compliance obligation unto itself. That is, your business might be fully compliant with privacy obligations such as the GDPR, or have great user access controls for SOX compliance — but that doesn’t mean you’ve achieved cybersecurity; it only means that your company fulfilled its compliance obligations. You could still suffer numerous other cybersecurity disruptions with real operational consequences. The board needs assurance about those risks, too.
Clearly the CISO should take the lead on defining all those cybersecurity risks and your company’s response plans. The compliance officer, however, can still play a vital role in helping to mitigate those risks.
We can divide those duties into two halves: “left of boom” work to reduce risk before a cybersecurity incident; and “right of boom” work to repair the damage after an incident, including all your compliance obligations. Figure 1, below, shows how you might structure things.
Compliance and cybersecurity teams should also work through many of those same supply chain issues we outlined above, slightly reframed to address technology concerns:
- Who are your mission-critical IT vendors? How have you assessed their IT security risks and controls?
- Are any of these vendors sanctioned entities?
- What scenario planning have you done to gauge the disruption to your operations, should one of those critical vendors go off-line?
- What contract language have you enforced on your vendors to assure they’re compliant with your needs?
- What certifications, attestations, or other evidence have you collected from them, and where is that documentation stored?
Again, these questions are all about gaining visibility into the risks of your supply chain. Once you have that visibility and understanding, you can have productive conversations with senior management and the board about how much the supply chain does or doesn’t support your overall business objectives.
That’s especially useful now, as Russia disrupts the world so much; but such capabilities will remain important for many more years to come.