The COVID-19 pandemic has created unprecedented challenges for business. Utilities have had to quickly overcome the challenges associated with this crisis, without letting critical services such as heat, water, and power lapse. Over the past year, utilities have managed impacts to their workforce, operations, safety protocols, customer service, information technology, and cybersecurity, to name a few.
Utilities are no stranger to crises and unexpected events, issues that can create a variety of legal, regulatory, operational and reputational challenges, and often lead to investigations and litigation. After any crisis, and especially one as significant as COVID-19, utilities should take time to reflect on lessons learned, and reassess their compliance and risk management priorities so that they can be better prepared for the next crisis. There are several areas that management and chief compliance officers should address as they recalibrate their policies and procedures for the post-COVID world.
Effective communication is critical to any crisis response. During the COVID-19 pandemic, communication has been key to reassuring customers, keeping regulators informed, and helping employees navigate dramatic changes to their work environment. Many businesses implemented regular calls with leaders from every area of the company so they could strategize and coordinate their response to emerging issues.
As the crisis subsides, management and compliance should continue to reinforce this type of company-wide communication. It’s important to identify vulnerabilities management and compliance officers may not be aware of, and at the same time, management and compliance may be able to identify company-wide risks that would not be apparent to independent business area leaders. They may be able to incorporate insight from the company’s regulatory group or anticipate political forces that are relevant to a particular issue.
Many utilities adjusted their customer service offerings during the pandemic. They may have increased online services, automated certain functions, closed physical locations, adjusted billing and collection practices, and halted disconnections. Utilities should take time to evaluate these changes from a risk management and compliance perspective. They should also consider reputational risk associated with any customer-facing activities.
Companies should ensure that billing, collection, and disconnection policies comply with all relevant regulations as well as any changing executive orders. Most states instituted moratoria on disconnections during the early months of the pandemic. Some of these have expired, and some utilities have voluntarily halted disconnections, but should they resume, either as permitted by law or as individual utilities deem appropriate, companies will need to determine what to do for customers who have significant arrears and are unable to pay. These decisions should be made with sufficient input from legal, regulatory, compliance, and customer service groups. Utilities should also consider whether new or revised policies and procedures are needed to formalize changes to customer service, and whether employees would benefit from additional training.
In addition to increasing remote service offerings for customers, many utilities transitioned at least in part to a remote workforce during the pandemic. As utilities rely more on technology, they become more vulnerable to cyberattacks and data breaches. Companies should evaluate their cybersecurity programs and work with compliance to mitigate associated risks.
As a starting point, the company’s policies and procedures must be compliant with applicable data security and privacy regulations. Utilities should evaluate whether new systems and programs that were implemented in response to the pandemic have been adequately tested and vetted, and consider whether policies and procedures need to be updated. Newly automated systems should be closely monitored.
Utilities should also take stock of the sources of private customer information that are being stored on company systems—such as billing, smart metering, and smart home initiatives—and ensure that this data is adequately protected. A plan should be in place in the event that a data breach occurs.
Compliance should also consider the implications of a remote workforce. Employees who are working from home are at increased risk of social engineering attacks, and may be using less secure internet connections to access company systems. Management should work with compliance and information technology leaders within the company to mitigate these risks.
Infrastructure and Operations
During an emergency, resources are rightly directed to the crisis at hand, and other priorities are understandably put on hold. Regulators and stakeholders will likely understand that some delays and adjustments were necessary in light of the pandemic. However, as the pandemic moves into a second year, it is important for management and compliance to evaluate other priorities and risk areas that may have been neglected for the past 12 months.
As utilities get set to take on the challenges for 2021, compliance departments should take time to reflect on the lessons learned from the COVID-19 pandemic and reassess risk based on those lessons. Preparing for a post-pandemic world now will help prevent future crises and keep operations running safely and effectively.
—Tom Kokalas is a partner in Bracewell’s New York office in the Government Enforcement & Investigations practice. Daniel Connolly is the managing partner of Bracewell’s New York office. Rebecca Foxwell is an associate in Bracewell’s New York office. Learn more at bracewell.com.