Legal and compliance leaders should consider their response to the Russian invasion of Ukraine in the context of three critical areas, according to Gartner.
“The pressure for companies to take a firm stance on social issues has been building across the past two years, but with the Russian invasion of Ukraine there are significant operation issues to consider as well,” says Stephanie Quaranta, vice-president: research in the Gartner Legal, Risk and Compliance practice.
To help legal and compliance leaders focus their efforts, Gartner experts have identified the following three categories where legal involvement is critical:
Complying with Complex Sanctions
Compliance with a complex and rapidly shifting network of sanctions will likely be an organisational response that is “owned” by assurance functions, so it’s critical that legal and compliance leaders play a central role in advising the C-suite on how sanctions affect their organisation, and how to bring the organisation into compliance.
For legal departments, critical actions include:
* Advise on how to implement sanctions requirements and best protect employees on the ground who are at risk of being held criminally liable for the organisation’s response to sanctions, given the aggressive blocking legislation passed in Russia.
* Assess sales and supplier contracts to identify those impacted by sanctions and sort those into two groups: those that can be terminated immediately and those with a wind down period. Then provide sales, service, and sourcing colleagues with appropriate scripting and procedures for informing sanctions parties that contracts will be terminated. Create real-time communications channel for sharing information among impacted partners as new sanctions are released.
* Partner with procurement and supply chain to identify third parties that now need extended due diligence or ongoing monitoring. Further, connect with any vendors the department uses to conduct due diligence to understand how they are updating their processes to reflect new sanctions.
* Ensure that robust due diligence is in place on any foreign entity that is a planned recipient of corporate donations to identify potential issues and determine whether it is necessary to review any charitable donations or connections (for example, board memberships) for any relation with a sanctioned entity.
Workforce Issues
Legal and compliance leaders play a key role in shaping the organisation’s response and making decisions about how to manage the workforce, including:
* Review planned statements.
* Advise the organisation on support and communications for employees in impacted regions on things such as leave or workplace accommodation available to them.
* Identify any employee visa implications considering recent changes and the organisation’s visa sponsorship policy.
* Proactively mitigate the potential for increased discrimination, harassment or inappropriate behavior directed at employees because of location, ethnic background, or other factors.
* Advise employees working with sanctioned entities on what parts of their job they can still execute and how. If contracts must be terminated, evaluate the indirect impacts on employees, for example those whose compensation may depend on those contracts.
* Review planned statements put together by the organisation’s CSR or corporate communications team to identify any areas requiring guidance in light of recent events.
Cybersecurity
This is unlikely a domain that is owned by legal and compliance, but it embodies risks that they must manage, so it is best to be involved in any response.
* Partner with information security teams to review any clauses specific to “war or hostile acts” in cyberinsurance policies, review existing arrangements with cyber incident response providers (including outside counsel), and consider putting providers on retainer if not already.
* Ensure legal is involved in regular tabletop exercises for cybersecurity events. A scenario planning exercise will help stakeholders to identify areas of responsibility and gaps in response capability.
* Communicate evolving standards for cybersecurity protections to third-party vendors, and ensure ongoing monitoring and action – including provisions for termination of vendor contracts if they do not meet standards.