Covid-19 and the Impact on Corporate Governance and Compliance in Colombia
While a company is solvent and able to perform its corporate purpose in the ordinary course of business, the interests of the company, its shareholders and managers, and even its creditors are generally aligned. However, in a situation of crisis and disruption in the business activities such as the ones faced during the ongoing covid-19 crisis, the interests of the different stakeholders in a company may change. In a crisis scenario, the managers, directors and shareholders may have different approaches towards taking risks, including limiting and reducing personal exposure, minimising losses, protecting the market, shielding bonuses and other incentives and adopting aggressive business strategies that may increase the business risk beyond the ordinary.
When the covid-19 pandemic struck, most companies were unprepared to deal with the challenges created by such an extraordinary situation. Running a business in the middle of a pandemic-related crisis presented companies and their managers and shareholders with new situations and challenges, and represented a difficult test for leadership and corporate governance structures, highlighting strong structures and adversely affecting weaker ones.
The covid-19 crisis dramatically altered corporate management and organisation and has certainly been a game changer. In the short term, companies and their managers implemented changes to the way the different corporate bodies interact; remote working, online board meetings and even digital social gatherings are now commonplace in many companies. In the long term, it will be the companies that apply the hard-learned lessons that will be in a better position to face and overcome the challenges of future and unknown situations.
The purpose of this chapter is to lay out the specific duties imposed on administrators and other stakeholders of companies acting in Colombia, including those triggered by the covid-19 crisis and its aftermath. We will review such duties from a corporate and compliance perspective, including civil and criminal exposure that the crisis has imposed on managers and shareholders of Colombian companies.
Fiduciary duties of managers (directors and legal representatives) in general
Under Colombian law, administrators of companies (mainly legal representatives and members of the board of directors) have certain duties of conduct, known as fiduciary duties. Administrators must always act with good faith. Administrators must act with the diligence of a good businessperson, and must always act with loyalty towards the company.
Failure to comply with those duties will make the administrators jointly and severally liable, towards the company, its shareholders or third parties, for any damage caused to the extent there is wilful misconduct or negligence, except to the extent that any of those administrators had no knowledge of the action or omission being questioned, or if there is evidence that the administrator voted against the relevant decision, to the extent that the administrator did not participate in its implementation.
Generally speaking, the fiduciary duties described above impose the following practical duties.
Administrators must always act in the best interests of the company while considering the interests of shareholders in their decisions, refraining from prioritising their own or a third party’s interests and giving a fair treatment to all shareholders, and shall observe shareholders’ (quite limited) right of information.
Administrators must also act professionally, pondering risks and benefits with a technical and sensible approach, guiding their conduct by good faith and avoiding negligence.
Unless otherwise authorised by the shareholders, administrators must refrain from participating directly or indirectly in activities that imply competition with the company. Also, they must avoid engaging in acts with respect to which there is a conflict of interest without such prior authorisation.
Administrators should refrain from executing actions or incurring omissions that may cause harm to the company and, in any case, they must refrain from approving such decisions and, if approved, they should refrain from executing them.
Interestingly, case law from the Colombian Superintendency of Corporations has ruled that controlling shareholders also have certain duties towards other shareholders, which imposes on them the duty to act with loyalty. This duty is considered to be breached when the controlling shareholder abuses its right to impose a majority on the decisions made by shareholder meetings in detriment of the interests of the company.
Administrators’ legal duties and roles during a crisis: teachings from the covid-19 pandemic
Administrators have the duty of leading the company to the proper development of its purpose, while assuring strict compliance with legal and organisational charter provisions. In their mission, administrators must ensure the proper development of the functions entrusted to the statutory auditor and assure and protect the commercial and industrial proprietary information of the company while refraining from improper use of privileged information.
In times of crisis, administrators had to and continue to make decisions quickly, taking into account that, as described above, the interests of different stakeholders have changed and may conflict with each other. In their decision-making process, administrators should take into consideration the following standards, developed during the covid-19 crisis, and that are still likely to be evaluated by Colombian courts to determine whether fiduciary duties were complied with:
- Exercise care and independent judgement: at the onset of a crisis, it is difficult to anticipate its extent. Consequences of a crisis such as the covid-19 pandemic may affect not only the company, but also the community as a whole. Once there is an indication that a crisis is coming, administrators must consider that the company has many different stakeholders (employees, creditors, consumers, etc.) that may be affected by unsound decisions.
- Think ahead of events and learn from examples: once it was certain that a pandemic was underway, and the virus was spreading throughout the world, government officials took different approaches. In several countries, not acting in time resulted in thousands of casualties. Other countries timely reacted to the issue and were able to prevent a higher death toll. Planning to recommence business is also part of the administrator’s responsibilities. Being unprepared for this may put a company at a disadvantage before its competitors and impact the company’s income and profits. Companies should design scenarios for restarting their business and monitor the assumptions on which those projections were based.
- Act reasonably, with integrity and common sense: administrators’ duty to use a critical approach to certain decisions, challenging things that make them feel uncomfortable and raising concerns promptly has been a determinant in their decision-making process and should continue to be in the aftermath. It has been evidenced that an administrator’s role is better achieved when working as a team with colleagues and company functional specialists to get help and support where needed and find appropriate solutions.
- Employment matters: before adopting any employment measure, an administrator must fully understand and assess the potential labour risks behind it. Virtual work and implementation of sanitary regulations have been implemented and shall remain. Remember that the government is closely watching employment decisions adopted by companies and will act to safeguard employees’ rights and avoid collective dismissals.
- Contractual relationships: suspending the compliance of contractual obligations and the receipt of notices from counterparties seeking to suspend their obligations is a matter that should be carefully reviewed on a case-by-case basis. Suspending on the ground of force majeure could potentially be rendered groundless in the case of litigation if strict legal and factual requirements are not met or properly evidenced. Particularly, after a certain amount of time has elapsed, the crisis stops being an unforeseeable event, which is a requirement to successfully argue an event of force majeure.
- Financial position: administrators should continue taking special care of the company’s cash flow. The financial situation of the company should be continuously monitored. Administrators must ensure the right level and regularity of financial information is available and take time to review it and ask questions. The slowdown, government reliefs (including tax calendars) and bank reliefs may create opportunities to control expenses and safeguard cash flow. If an administrator becomes concerned that the company is in, or may face, financial difficulties, steps should be taken to minimise losses and the issue should be raised immediately so that appropriate and timely advice can be obtained. Keeping quiet and hoping for the best is not an option. If insolvency is a possibility, administrators should learn about alternatives available under Colombian bankruptcy law applicable to the business.
- Be informed: with the onset of a big public crisis, the pace at which a new regulation is enacted continues to be voluminous and still seems unmanageable. Teams within the company should be appointed to follow up on the current status of a new regulation; help from specialised counsel is always a good option.
- Organisational charter and powers: administrators must make sure that all measures and decisions are taken in compliance with by-laws and any other charter documents, and within the scope of the corporate powers or after receiving any requisite corporate authorisation. Administrators should keep the board of directors and the stakeholders well informed about the effects of the crisis with regard to the business.
- Telework and company information: protecting the company’s information during the virtualisation of operations is a must. As companies have implemented remote working schemes, connections and security standards must be proportional to the importance of the information being exchanged. Emails and other electronic communication may be requested by shareholders or surveillance authorities to serve as evidence. It is important to maintain professional and careful language, and to take measures to preserve the correspondence for the future.
Once the effects of the covid-19 pandemic begun to be understood and managed, the hard-learned lessons moved governments and organisations to develop guidelines and regulations to allow companies and businesses to overcome the adverse effect of the current crisis, and to put in place safeguards that will help them to cope with the effects of future ones. For instance, in the context of the recently issued corporate governance guidelines, the Superintendency of Companies suggests issuing a contingency and business continuity plan that would allow for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a management system that responds to disruptive events that have a negative impact on company operations. According to the guidelines, the plan should set forth stages for reactivation and recovery of business activities and a strategy for crisis management and communications. The Superintendency also suggests creating a crisis management committee and setting up proper communication protocols and channels between different business areas and management, as well as management and the board of directors or equivalent body, in order to maintain a flow of information conducive to addressing challenges in a timely and opportune manner. Companies doing business in Colombia are encouraged to review and implement the measures suggested in the guidelines.
What should the role of shareholders be during a crisis? In large, listed companies, shareholders’ activism will likely become more of a phenomenon with shareholders asking for improvement to access to information and more transparency; a very important focus will be on executive compensation and payment of dividends. In smaller, non-listed companies, shareholders will very likely be asked to contribute additional funds to cope with the crisis, and in return, shareholders will ask the company to be granted with additional rights regarding approvals at the shareholders level, and to increase the level of oversight and control over performance of the administrators.
Fiduciary duties of administrators during a crisis from a compliance perspective
The covid-19 crisis put an enormous burden on administrators tasked with keeping businesses afloat while dealing with an ever-changing regulatory framework. Although the attention of administrators and corporate governance bodies is usually focused on the most pressing decisions and problems (supply chain disruption, immediate impact of lockdowns, etc.), administrators and compliance officers should not disregard the compliance risks presented by the crisis, taking into account the criminal, commercial, reputational and criminal risks associated with those situations.
In many industries, the crisis situations caused by covid-19, together with the well-intended measures adopted by the government, created scenarios that exacerbate compliance risks. For instance, in Colombia the government approved massive social programmes with subsidies related to public utilities, payroll benefits, incentives for construction and acquisition of new houses and benefits to the agricultural sector, among others.
But, in addition to that, many government entities at the national, regional and municipal levels introduced a series of measures aimed at making the formalities and procedures for entering into procurement agreements more flexible, mainly the declaration of a state of ‘evident urgency’, which allows public entities to enter into agreements swiftly with private parties, without having to conduct a public bidding process. Some of these measures remain in place.
These two situations (the injection of government funds into the economy and the making of rules for public procurement more flexible) triggered an unprecedented reaction by its main enforcing agencies: the General Attorney’s Office, in charge of investigating and prosecuting crimes, the Public Ministry, which is in charge of investigating the conduct of government officers and the Comptrollers Office, which investigates and controls the use of government funds.
During the initial stages of the covid-19 crisis, these three entities set up a task force, and put under review all contracts entered into by government entities under state of urgency powers. They conducted and concluded several investigations in cases dealing with allegations of contractors not qualified to perform certain contracts, in cases where costs overrun in the procurement of medical equipment and in cases involving the existence of ‘ghost beneficiaries’ for social programmes.
Several months after the onset of the covid-19 crisis, and motivated in part by its effects, the Colombian agencies enacted substantial reforms of Colombian compliance regulations, including important modifications to the anti-money laundering and anti-corruption rules. New regulations include:
- broadening the scope of companies mandated by law to implement compliance programmes;
- imposing obligations on companies to implement a more robust risk management methodology, including the obligation to create a risk matrix, and to implement tools and controls to monitor commercial relationships with contractors;
- new rules regarding and strengthening compliance control and procedures as well as imposing reporting obligations on companies and their compliance officers;
- the requirement for compliance programmes to include controls and procedures aimed at dealing not only with cross-border bribery, but also with domestic corruption;
- a specific set of obligations imposed on managers, board members, compliance officers and statutory auditors; and
- new rules regarding the qualifications and credentials of compliance officers, and regulation of possible conflicts of interest.
Although the effects of the crisis are going to last, administrators of companies must be aware that their actions now are going to be reviewed in a post-crisis scenario, and choices that seem logical here and now may be reviewed with a different optic in the future. So, taking this into account, fiduciary duties owed by the administrators to the company suggest they take the following actions, not only to mitigate compliance risks from this crisis, but also to anticipate and cope with the next one:
- Implement and improve specific procedures for contracting with government entities: Colombian compliance regulations do not mandate all companies to have in place specific procedures and controls to enter into contracts with government entities. In a crisis scenario, public procurement may be an excellent opportunity and source of new businesses. But companies should enact protocols to deal with government entities and incorporate those protocols in their compliance programmes.
- New risk assessments should be conducted: if new distribution channels or business opportunities are being pursued, internal risks matrixes should be updated to highlight new risks associated with those changes.
- Internal training programmes should be updated: it is important to make sure that the risks arising out of the new situations are understood inside the organisation.
- Anti-money laundering and anti-terrorism financing procedures should be updated in line with new regulations and aim to adapt to a new environment in which remote commercial relationships are commonplace.
The conditions created by covid-19 also increased the risk of internal fraud. Counter-fraud measures should be adopted; for instance:
- validating that employees can continue to operate remotely with an appropriate level of control;
- if a company has overseas operations, the company must secure and store business and accounting records and ensure that effective measures are in place to avoid data theft; and
- fostering a culture in which employees can be confident that whistle-blowers have adequate protection.
Administrators’ exposure to criminal liability
In the exceptional circumstances in which businesses are being carried out, with great stress to the economy, companies are fundamental actors in maintaining the economic system and are the protagonists in the revival of industries and businesses during and after the emergency.
However, administrators are concerned by the increase in their exposure to criminal liability. The facts increasing the risks of criminal exposure should be identified and addressed and be managed and monitored without neglecting the objective of preserving the economic activity of the company.
For the administrators, this management of risks is very important since, as there is no criminal responsibility in Colombia for legal entities, they are the first to be called to respond to criminal law, either because they actively intervened in an act considered as a crime, because they failed to prevent a violation of the law or because, by acting on behalf of the company, they sought the benefit of it at the cost of a criminal offence.
Likewise, it is also necessary to manage the criminal risks that may affect companies as victims, as could happen in cases of cybercrimes.
Exposure for economic crimes
With the onset of the emergency, many consumers turned to businesses to stock up on basic products. In addition, many companies took advantage of the unusual consumer behaviour to increase product prices. In some cases, prices simply fluctuated in a certain way due to external factors. All of these situations may have criminal relevance, and in some cases may set up criminal liability for the administrators of companies potentially involved in this type of behaviour.
Colombian criminal law sanctions the acts of hoarding and speculation. Criminal law dealing with these crimes seeks to protect consumers and the market, issuing penalties in the form of prison time and fines.
While the hoarding crime consists of subtracting products officially considered by the competent authority as being of first necessity from the market, the crime of speculation relates to the conduct of the manufacturer, producer or wholesale distributor offering to sell an article officially considered by the competent authority to be of primary necessity at a price that is higher than that set by the competent authority.
A list details 26 products that are officially considered essential and prices in connection with such products are subject to control and monitoring by government authorities. Depending on multiple factors, such as the behaviour of the market, consumers, the pandemic and the emergency in general, these administrative provisions may change, along with the crime.
Therefore, it proved advisable to appoint a team to constantly review official sources and verify the issuing of regulations that may affect the activity of the company and that are relevant to avoid any possible criminal activity.
Despite the unusual consumer behaviour identified at the beginning of the crisis, conduct quickly stabilised. On the one hand, consumers realised that there was no need to hoard goods given the great availability of products; on the other, wholesale distributors guaranteed a steady flow of goods and products, mainly due to the relaxation of emergency import regulations.
Exposure for sanitary crimes
Similarly to other countries, at the beginning of the crisis Colombian authorities enacted various measures to prevent the spread of the virus among the population. Thus, measures such as social distancing, the closure of air, land, river and sea borders, and the export ban on certain products to prevent internal shortages were enacted. By September 2020, most of these measures had been lifted or eased, but the government has announced that some of those orders may be reinstated in the event of future waves of the virus.
All the above-mentioned measures that the authorities adopt in the context of the sanitary emergency are sanitary measures, so their violation implies the risk of committing a crime.
In particular, the crime of violation of a sanitary order consists of not complying with a sanitary measure adopted by a competent authority to prevent the introduction or spread of a dangerous and contagious disease in the country. This class of crime belongs to a special category in which the examination of whether the crime has been committed must be consulted in concordance with other legal provisions, such as, in the public health crisis context, measures issued by the public health authority.
Therefore, management should constantly review official sources and verify the issuing of regulations that may affect the activity of the company and that are relevant to avoid any possible criminal activity.
Even though there were real risks of committing this crime, specialised forums debated the actual reach of this criminal offence, concluding that a real threat to public health was required to uphold criminal charges. Later, in a mediation case involving Bogotá’s mayor, authorities adopted this rule, stating that the crime of violating sanitary measures needed to cause concrete harm to the public health to be punishable.
Exposure for involuntary homicide or involuntary personal injury crimes
Although companies and their administrators are not criminally responsible for the way a virus behaves or for the self-care measures that its workers take, they are responsible for acting diligently to provide workers with the necessary security elements to be able to do their work in those situations in which their work involves a risk for them; administrators are also responsible for designing, in compliance with rules set by national and local authorities, work protocols during the pandemic aimed at avoiding contagion. In the context of the pandemic, these minimum safety elements are those related to self-care, such as face masks, antibacterial gels or gloves, depending on the work being carried out, as well as cleaning and disinfection, social distancing and policies against mass social gatherings. Failure by staff to comply with the measures ordered by the company can result in serious offences and even merit termination of labour agreements.
In this sense, there is a risk of criminal liability for employers who do not fulfil their duty to protect the health of their workers or fail to implement appropriate safety protocols; this risk exposes them to criminal liability if measures have not been implemented to protect workers and avoid damage by workers being exposed to the virus in the course of their work.
However, if the employee ignores the protocols implemented by the employer, and as a result death or injuries ensues, or, despite the employer’s due diligence in implementing the expected standard of protocols, they fail, the employer’s criminal liability would be dismissed; this is because there would be an exclusive fault of the victim in the first case and, in the second case, an absence of fault, which is a requirement in an involuntary homicide crime conviction.
Exposure for cybercrimes
The need for economic activity continuity has resulted in information and communication technologies becoming highly relevant. Accordingly, many companies have implemented home office techniques, which allow meetings via videoconference or online access to a company’s documents from the office to workers’ homes.
This situation exposes companies to cybercrimes, to the extent that the terminals of a worker and the internet network they use do not have the customary security measures implemented in facilities and business networks. These deficiencies could be easily exploited by hackers to the detriment of the interests of the company.
Therefore, it is essential to adequately protect the company’s information during the virtualisation of its operation by implementing computer security measures, which must be proportional to the importance of the information that is managed and exchanged.
Failure to take such measures may impose liability on administrators for failure to comply with their duties.
Several official statistics show that cybercrime was one of the fastest growing criminal segments during the crisis, especially during lockdown periods. These statistics prove that cybersecurity measures are relevant now more than ever.
Covid-19 had devastating effects worldwide and deeply impacted not only business and organisations, but every other aspect of society. The long-lasting effects of covid-19 are beginning to be seen but in many aspects, they will shape the years to come. One thing is clear: a quick and adequate response in the early stages of the crisis improved the chances of business organisations surviving the shockwaves of the pandemic. Although we cannot anticipate when and how the next crisis will hit, companies should be prepared to tackle its effects. The next crisis may not involve extensive lockdowns or disruption of supply chains, but rather political agitation, and security and safety concerns. In the years to come, administrators and shareholders will need to prove themselves by showing strong crisis management capabilities; and companies will not go back to the old ways of doing things, and will see the important advantages of planing and thinking in the long term, rather than just focusing on next quarter’s profits.
 Jaime Herrera Rodriguez and Oscar Tutasaura Castellanos are partners at Posse Herrera Ruiz.