3 legal and compliance mandates for Russia-Ukraine conflict
When considering a business’ response to the Russian invasion of Ukraine, three critical areas must be examined, argued global tech research and consulting firm Gartner.
There are three areas, Gartner believed, that must frame the legal and compliance response to the ongoing conflict in eastern Europe.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
According to Gartner Legal (risk and compliance) vice-president Stephanie Quaranta, the pressure for companies to take a firm stance on social issues has been building across the past two years, “but with the Russian invasion of Ukraine there are significant operation issues to consider as well”.
In order to assist legal and compliance leaders in consolidating their strategies, Gartner outlined three areas in which involvement from the legal department will be critical moving forward.
Compliance with complex sanctions
Complying with an ever-evolving list of sanctions will likely, Gartner noted, be an organisational response that assurance functions will own. As such, it is essential that legal and compliance leaders assume a “central role” in advising the C-suite on how those sanctions will impact upon the business and how to ensure compliance.
Law departments should “advise on how to implement sanctions requirements and best protect employees on the ground who are at risk of being held criminally liable for the organisation’s response to sanctions, given the aggressive blocking legislation passed in Russia”, the firm said.
Moreover, they should “assess sales and supplier contracts to identify those impacted by sanctions and sort those into two groups: those that can be terminated immediately and those with a wind down period, then provide sales, service, and sourcing colleagues with appropriate scripting and procedures for informing sanctions parties that contracts will be terminated”.
Additionally, the law department should be partnering with procurement and supply chains, Gartner went on, “to identify third parties that now need extended due diligence or ongoing monitoring. Further, connect with any vendors the department uses to conduct due diligence to understand how they are updating their processes to reflect new sanctions.”
Finally, they must ensure that “robust due diligence is in place on any foreign entity that is a planned recipient of corporate donations to identify potential issues and determine whether it is necessary to review any charitable donations or connections”.
Leaders in legal and compliance can also, Gartner continued, assume duties in shaping a business’ response to and making decisions about how to manage the workforce.
They should, the firm, detailed, review planned statements, advise on support and communications for employees in impacted regions, identify employee visa implications, proactively mitigate the potential for increased discrimination, harassment or inappropriate behaviour directed at employees because of location, ethnic background, advise on working with sanctioned entities on what parts of their job they can still execute and how, and also review planned statements put together by the organisation’s CSR or corporate communications team to identify any areas requiring guidance in light of recent events.
While Gartner conceded that it is unlikely to be a domain that is owned by legal and compliance professionals, cyber security “embodies risks that they must manage”, the firm wrote, and as such, the law department must be involved in any response to this.
“Partner with information security teams to review any clauses specific to ‘war or hostile acts’ in cyber insurance policies, review existing arrangements with cyber incident response providers (including outside counsel), and consider putting providers on retainer if not already,” it suggested.
“Ensure legal is involved in regular tabletop exercises for cybersecurity events. A scenario planning exercise will help stakeholders to identify areas of responsibility and gaps in response capability.”
And, finally, it advised to “communicate evolving standards for cybersecurity protections to third-party vendors, and ensure ongoing monitoring and action – including provisions for termination of vendor contracts if they do not meet standards”.