Preparing for the Next Crisis

By Thomas Fox ,The Compliance Evangelist, Author


When will the Next Compliance Crisis Occur?

As we learned from the recent SAP trade sanction enforcement action, it can be quite some time from a change which leads to a violation that leads to an enforcement action. In this case for SAP, it was acquisitions in the early 2010s, who had violations from 2010 to 2017, that led to the 2021 enforcement action. Foreign Corrupt Practices Act (FCPA)  enforcement actions can have an equally long, if not longer, number of years where a series of unfortunate events can lead to costly investigations and enforcement actions.


Most compliance crisis are borne out of well-known events or fact patterns we have seen before. But what about Black Swan events?

Ben Locwin, in The Word ‘Innovation’ Probably Doesn’t Mean What You Think It Does, cited to “Nassim Nicholas Taleb’s idea of Black Swans.

These are the unexpected changes, innovations and collapses that defied the ability to predict them. That’s why they’re called Black Swans…Black Swans will continue to occur, at a rate that may be suggestible by a Power Law, but largely unknowable. The COVID-19 situation was a global Black Swan for just about everyone, and dramatically impacted in mostly a negative way everything that has happened on the planet.


But what about going forward?

Is there anything that can be learned to help corporate compliance programs prepare for the next unknown crisis?

Writing in a Harvard Business Review article entitled The Risks You Can’t Foresee, authors Robert S. Kaplan, Herman B. Leonard, and Anette Mikes considered what to do when there is no playbook. They write,

“Well-run companies prepare for the risks they face. Those risks can be significant, and while they’re not always addressed successfully—think Deepwater Horizon, rogue securities traders, and explosions at chemical plants—the risk management function of a company generally helps it develop protocols and processes to anticipate, assess, and mitigate them. Yet even a world-class risk management system can’t prepare a company for everything.”


Post COVID-19, many CCOs are now faced with the task of what to do to prepare.

You need to have a system to detect new or emerging risks. Fortunately, in the compliance arena, the Department of Justice’s (DOJ) 2020 Update to the Evaluation of Corporate Compliance Program (Update) re-emphasized continuous monitoring. By doing so, while use a technological solution to do so, it can detect non-standard actions or those outside the norm. The authors said when it comes to recognizing new or novel risks,

“The clearest signal that a novel risk is emerging is anomalies—things that just don’t make sense. This sounds obvious, but most anomalies are difficult for people to recognize or process.”

The tech solution “can be a powerful tool in the search for anomalies…applying data analytics to connect the dots between these small and unrelated reports and identify potential novel risks.”

Moreover, a compliance professional “who believes that a low-probability novel risk might materialize can analyze it more deeply to determine whether to implement a nonroutine response. In effect, members of the team serve as the company’s chief worry officers, empowered to think deeply about and respond quickly to novel risks.” While I might not suggest a CCO worry, I would suggest they think about what the data might represent in terms of a new risks.

The authors also take another page from the Update, when they suggest “Companies can also identify potential novel risks indirectly—by looking at what has happened in other industries and countries and then asking themselves, “What if that happens here?” The DOJ has made clear that companies need to stay abreast of others in their industry and the risks they are facing which might be new and different.

When a new or novel risk arises, often times a CCO, as the authors note, “will not have a script or a playbook for managing them “right of boom,” or after disaster has struck. Also, nothing in the backgrounds of risk managers will help them respond quickly and appropriately. In this situation a company needs to make decisions that are

(a) good enough,

(b) taken soon enough to make a difference,

(c) communicated well enough to be understood, and

(d) carried out well enough to be effective until a better option emerges.

The authors believe that the crisis can be managed at the home office or local level, if there is enough information available and there is a robust interchange of information and discussion.The authors conclude,

“Risks come in many forms and flavors.”

CCOs can “manage the ones they know about and anticipate. But novel risks—those that emerge completely out of the blue—will arise either from complex combinations of seemingly routine events or from unprecedentedly massive events.” CCOs “ need to detect them and then activate a response that differs from standard approaches to managing routine risks. That response must be rapid, improvisational, iterative, and humble, since not every action taken will work as intended.”

One of the most propitious comments I heard over the past year came from Jed Gardner, Group Technology Transformation Director at Linedata.Jed said that we have moved from disaster recovery to business resiliency to business as usual.

One thing 2021 has brought is more of these events; from the January 6 insurrection to GameStop and beyond. In the realm of enforcement, we had the ‘New Dawn’ of trade sanction enforcement in the SAP matter. As Ben Locwin reminded us “as Heraclitus of Ephesus waxed ~2,500 years ago,


“Change is the only constant.”

Latest posts by Thomas Fox (see all)