The corporate compliance disasters at Michigan State University, Uber, and Wells Fargo led to very high financial cost, and cost CEOs and other top brass their jobs. How can leaders avoid compliance fiascos? MSU’s interim president is focused on processes and rules. That’s not enough, or even the most important thing, as I explain in the following op-ed, originally published in Crain’s Detroit Business:
Michigan State University will soon get a chief compliance officer, but it still has a problem — and it starts at the top.
No new title or office will fix a culture that missed or ignored warning signs involving the behavior of gymnastics doctor Larry Nasser and Dean William Strample, both of whom were star performers at the university. MSU provides an object lesson that business owners and executives ignore at their peril.
When a top performer gets a pass for bad behavior, the organization learns. It learns not to push important people too hard on integrity. It learns cynicism. It learns how to get away with bad behavior. And MSU is hardly the only organization with this issue.
Uber. Wells Fargo. MSU.
Uber had a process for handling complaints of sexual harassment. Susan Fowler, the soon-to-be famous whistleblower invoked this process by going to the human resources department. She was told the harasser was a top performer, so nothing could be done.
Wells Fargo had multiple policies and processes to prevent improper transactions. Its process flagged employees opening fraudulent accounts, effectively stealing from customers. But that business unit was very successful, and thus its leader was a star performer. She argued that it was stealing from only a small percentage of customers and could reimburse any customers who complained. The leader was allowed to prevent reports from getting to the corporate office and the board.
Michigan State had a process for performance reviews of deans and for investigation of Title IX complaints. Numerous reports of sexual harassment by Strampel were considered in his performance review. There were investigations of reported abuse by Nasser. But Strampel was an important and successful dean, and Nasser brought renown to the university by treating elite gymnasts.
They were given the star treatment. Their misdeeds were ignored.
In each of these examples an important and powerful person became involved in a process designed to detect and prevent misbehavior. In each, the culture gave privilege to the powerful, the process was cut off and horrible things happened. And in each, the consequences for the organization, and for the CEO and several levels of top brass, were dire.
At MSU, hiring a chief compliance officer and creating an office to correct what interim MSU President John Engler called a “diffuse and disorganized” administration aren’t the most important part of the solution.
Over many years as a general counsel, building compliance programs and working through compliance problems at multinational companies, I’ve learned that more processes aren’t enough to change the result, and that hard work by leadership is the key factor for success.
Mr. Engler (or the CEO of any company) cannot simply delegate compliance to compliance people. A compliance office exists to help leadership build a culture and apply high standards of conduct, not to “do” compliance so leadership can ignore it. Compliance professionals can spot red flags, but only leadership can do something about them. Here are a few key elements of a successful compliance program, which only MSU’s top leaders can provide:
- Encourage people to report concerns, ask uncomfortable questions and prevent retaliation.
- Ensure that each employee and student knows that her or his boss, coach or teacher expects and models ethics conduct and compliance.
- Create incentives for good conduct and avoid incentives for bad conduct.
- Use the data the compliance office will generate to change the organization.
And, especially important in light of MSU’s history:
- Assure there is only one standard: Important people can’t get away with bad conduct, bad conduct is penalized appropriately, and compliance is not used as a pretext to punish people.
And how would your organization’s culture stack up? Has the CEO given a top performer a pass on an ethical or legal violation because that person is “just too important to the business right now?” Have you disciplined subordinates but not even given a public reprimand to a culpable superior? Have you let a star escape a process because he or she is “too busy” adding value? That value, and much more, can disappear very quickly.
A compliance officer can add a lot of value by helping leadership lead. But it’s up to leadership to make any compliance effort real.
The corporate compliance disasters at Michigan State University, Uber, and Wells Fargo led to very high financial cost, and cost CEOs and other top brass their jobs. How can leaders avoid compliance fiascos? I was able to provide my perspective in an article on Michigan State in The Detroit Free Press (The Free Press writer’s name is similar to mine, but it’s not my article):
It can also help to make sure the rules are being applied to everyone fairly and not waived for important people, said David Jaffe, an attorney specializing in compliance and the former vice president, general counsel and secretary of Guardian Industries Corp. of Auburn Hills, along with former partner in the law firm of Honigman Miller Schwartz and Cohn in Detroit.
“The CCO will have to help the university build a culture in which every employee — and student — understands that her or his boss, and the institution, expect ethical conduct and compliance, in which there is one standard of conduct for everyone, no matter how important, and in which asking questions and reporting possible violations are encouraged and retaliation is prevented,” Jaffe said. “This is all good to do. It will be extremely helpful if there’s also work on the culture. The devil will be in the details and in the level of independence that the office will have.”
(Photo: Robert Killips, Lansing State Journal)
This piece was originally published in the Detroit News, but has been updated to reflect recent developments.
The fiasco at Wells Fargo, where bankers opened thousands of fraudulent accounts leading to litigation, enforcement, fines and a stunning loss of reputation, is old news. The consequences, however, continue to play out for the company and its leaders. A new report released last week by the Wells Fargo Board’s independent directors shows that the company lacked key elements of effective compliance and ethics efforts. A review of the report offers important lessons for other companies.
The Board singled out John Stumpf, former CEO, and Carrie Tolstedt, former President of the Community Bank – the division where the fraud took place – for blame. It ordered them to forfeit over $100 million of compensation, it reduced 2016 executive bonuses for others by an aggregate $32 million, and fired for cause four other officers in the Community Bank. These dire consequences for individuals have set a new precedent for corporate boards to follow.
Key elements of the report highlight essential compliance and ethics principles that Wells Fargo missed, and that business leaders need to know. These principles come from the Department of Justice’s standards for compliance and ethics programs and from the accumulated experience of executives trying to keep their companies out of harm’s way.
First, the Community Bank had its own risk management department, which reported to the head of the division, not to a corporate officer, and did not have access to directors. Tolstedt, according to the report, adamantly and strictly limited communication between “her” team and the corporate level risk team (and the Board).
The critical lesson: Businesses need a compliance and ethics function that is independent of operating management, is empowered to participate in decision-making, and has direct access to the Board.
Second, Wells Fargo incorporated its compliance and ethics efforts into a Risk Department, which looked at ethics issues mainly through the lens of enterprise risk management (ERM). ERM usually focuses statistically on the potential impact of a risk on the financial statements. Wells Fargo’s risk team knew that hundreds of employees per year had been fired for violations of account opening rules; but it only saw a problem that affected fewer than one percent of the bank’s employees, and that the amounts involved in each case were quite small.
Seeing a problem involving (relatively) modest numbers of employees and sums of money, Wells Fargo saw a modest problem. A team with a focus on integrity would likely have seen a fundamental problem and appreciated the ways in which the problem could snowball.
The critical lesson: Compliance and Ethics is different from ERM, even though the two areas overlap.
Third, to the extent that it saw problems, Wells Fargo focused its efforts on firing employees who broke rules, not on requiring integrity. Management knew that some employees were opening accounts fraudulently, and that some supervisors were encouraging them. Some senior executives in the Community Bank recognized that its sales incentive system encouraged the bad conduct and argued for change. But the senior leaders “were concerned that tightening up too much on quality would risk lowering sales … [and] were reluctant to take steps that … might have a negative impact on … financial performance.” Senior leaders waited until unethical behavior blew up into a crisis.
The critical lessons: Every employee at every level must know that her boss requires ethical conduct and compliance.
Companies must create incentives for good conduct and avoid incentives for bad conduct.
Finally, Stumpf gave deference to Tolstedt and hesitated to dig deeply. The Community Bank was very profitable and Stumpf considered Tolstedt the “best banker in America.” As a result, she was not scrutinized carefully, was allowed to restrict communication, and was given deference in decision-making, even after account problems became known at the corporate level and Los Angeles County sued Wells Fargo over fraudulent accounts.
The report complains that management withheld information from the Board, but reveals that directors failed to push to get the whole story. Last Tuesday, the directors endured a humiliating annual meeting where many were barely re-elected. They will face tremendous pressure in the coming days and weeks.
The critical lessons: There must be one standard of conduct; important or successful people can’t be allowed to get away with bad conduct.
Directors can’t be passive about compliance and ethics.
For businesses – and their leaders – the cost of bad conduct can be astronomical. An investment in learning and applying essential principles of compliance and ethics programs will provide a great return by significantly reducing the risk of expensive and career-killing disasters.