Highlights from SCCE’s 2023 Compliance & Ethics Institute – Compliance’s Role in Disaster Management

This is the second blog article in our series detailing the highlights of SCCE’s 2023 Compliance & Ethics Institute. I attended a fantastic session on compliance’s role in disaster preparedness including planning, management, response, and recovery presented by Jillian Cusack, Laura Fey, and Tom Leatherbee. They echoed my oft-felt sentiment that “risks are getting riskier,” and companies need to plan for “polycrises” to sustain resilience in the time of pandemics, hurricanes, floods, terrorist attacks, grid failures, wildfires, and other disasters. In covering this topic, the panel stressed that compliance should play a role in disaster management and planning, preparedness, response, and recovery.

The session highlighted the need to identify and meet various external compliance obligations during a disaster. It is critical to do this proactively, as during a disaster is of course not the best time to be exploring these requirements for the first time. External obligations may include federal, state, and local regulatory requirements such as environmental reporting of hazardous material spills, frequently an issue during natural disasters such as floods and hurricanes. There may be requirements due to an entity’s industry, such as notification requirements to customers for service interruptions and on-going status updates on restoration of services, or notifications to family members of the location of evacuated minors, hospital patients, or nursing home residents. External compliance obligations can also involve third-party requirements, both obligations to third parties and for third parties, such as notifications to insurers and mitigating losses, and privacy law notifications to customers of a data breach or loss.

During a disaster, a company also has internal compliance obligations especially in employee-focused areas such as wage and hour/payroll, ADA accommodations, and safety, but also in areas of fiduciary duty such as physical security and asset protection, record retention, and business continuity, as well as data protection and information security. During a disaster, a company must still act consistently with its core values, code of conduct, policies, licenses, and even certifications, such as ISO.

The panelists also provided some useful tips for preparedness. They recommended using a central “dashboard” as a go-to tool during a disaster so that the C-suite can oversee and manage the critical touchpoints during the phases of the disaster from planning through recovery. Compliance should have input during disaster planning to ensure the dashboard includes all touchpoint compliance requirements and be sure to track and update those touchpoints during all disaster phases.

In summary, effective disaster planning requires compliance to have a seat at the table to ensure line of sight of the various legal obligations and compliance requirements incurred when disaster strikes. In order to mitigate legal risk to the organization, compliance professionals should ask probing questions about disaster and business continuity plans. It is never too early to plan, but it certainly can be too late!