As MSU and Uber show, compliance starts at top
The corporate compliance disasters at Michigan State University, Uber, and Wells Fargo led to very high financial cost, and cost CEOs and other top brass their jobs. How can leaders avoid compliance fiascos? MSU’s interim president is focused on processes and rules. That’s not enough, or even the most important thing, as I explain in the following op-ed, originally published in Crain’s Detroit Business:
Michigan State University will soon get a chief compliance officer, but it still has a problem — and it starts at the top.
No new title or office will fix a culture that missed or ignored warning signs involving the behavior of gymnastics doctor Larry Nasser and Dean William Strample, both of whom were star performers at the university. MSU provides an object lesson that business owners and executives ignore at their peril.
When a top performer gets a pass for bad behavior, the organization learns. It learns not to push important people too hard on integrity. It learns cynicism. It learns how to get away with bad behavior. And MSU is hardly the only organization with this issue.
Uber. Wells Fargo. MSU.
Uber had a process for handling complaints of sexual harassment. Susan Fowler, the soon-to-be famous whistleblower invoked this process by going to the human resources department. She was told the harasser was a top performer, so nothing could be done.
Wells Fargo had multiple policies and processes to prevent improper transactions. Its process flagged employees opening fraudulent accounts, effectively stealing from customers. But that business unit was very successful, and thus its leader was a star performer. She argued that it was stealing from only a small percentage of customers and could reimburse any customers who complained. The leader was allowed to prevent reports from getting to the corporate office and the board.
Michigan State had a process for performance reviews of deans and for investigation of Title IX complaints. Numerous reports of sexual harassment by Strampel were considered in his performance review. There were investigations of reported abuse by Nasser. But Strampel was an important and successful dean, and Nasser brought renown to the university by treating elite gymnasts.
They were given the star treatment. Their misdeeds were ignored.
In each of these examples an important and powerful person became involved in a process designed to detect and prevent misbehavior. In each, the culture gave privilege to the powerful, the process was cut off and horrible things happened. And in each, the consequences for the organization, and for the CEO and several levels of top brass, were dire.
At MSU, hiring a chief compliance officer and creating an office to correct what interim MSU President John Engler called a “diffuse and disorganized” administration aren’t the most important part of the solution.
Over many years as a general counsel, building compliance programs and working through compliance problems at multinational companies, I’ve learned that more processes aren’t enough to change the result, and that hard work by leadership is the key factor for success.
Mr. Engler (or the CEO of any company) cannot simply delegate compliance to compliance people. A compliance office exists to help leadership build a culture and apply high standards of conduct, not to “do” compliance so leadership can ignore it. Compliance professionals can spot red flags, but only leadership can do something about them. Here are a few key elements of a successful compliance program, which only MSU’s top leaders can provide:
- Encourage people to report concerns, ask uncomfortable questions and prevent retaliation.
- Ensure that each employee and student knows that her or his boss, coach or teacher expects and models ethics conduct and compliance.
- Create incentives for good conduct and avoid incentives for bad conduct.
- Use the data the compliance office will generate to change the organization.
And, especially important in light of MSU’s history:
- Assure there is only one standard: Important people can’t get away with bad conduct, bad conduct is penalized appropriately, and compliance is not used as a pretext to punish people.
And how would your organization’s culture stack up? Has the CEO given a top performer a pass on an ethical or legal violation because that person is “just too important to the business right now?” Have you disciplined subordinates but not even given a public reprimand to a culpable superior? Have you let a star escape a process because he or she is “too busy” adding value? That value, and much more, can disappear very quickly.
A compliance officer can add a lot of value by helping leadership lead. But it’s up to leadership to make any compliance effort real.
Lessons From the Wells Fargo Board Report
This piece was originally published in the Detroit News, but has been updated to reflect recent developments.
The fiasco at Wells Fargo, where bankers opened thousands of fraudulent accounts leading to litigation, enforcement, fines and a stunning loss of reputation, is old news. The consequences, however, continue to play out for the company and its leaders. A new report released last week by the Wells Fargo Board’s independent directors shows that the company lacked key elements of effective compliance and ethics efforts. A review of the report offers important lessons for other companies.
The Board singled out John Stumpf, former CEO, and Carrie Tolstedt, former President of the Community Bank – the division where the fraud took place – for blame. It ordered them to forfeit over $100 million of compensation, it reduced 2016 executive bonuses for others by an aggregate $32 million, and fired for cause four other officers in the Community Bank. These dire consequences for individuals have set a new precedent for corporate boards to follow.
Key elements of the report highlight essential compliance and ethics principles that Wells Fargo missed, and that business leaders need to know. These principles come from the Department of Justice’s standards for compliance and ethics programs and from the accumulated experience of executives trying to keep their companies out of harm’s way.
First, the Community Bank had its own risk management department, which reported to the head of the division, not to a corporate officer, and did not have access to directors. Tolstedt, according to the report, adamantly and strictly limited communication between “her” team and the corporate level risk team (and the Board).
The critical lesson: Businesses need a compliance and ethics function that is independent of operating management, is empowered to participate in decision-making, and has direct access to the Board.
Second, Wells Fargo incorporated its compliance and ethics efforts into a Risk Department, which looked at ethics issues mainly through the lens of enterprise risk management (ERM). ERM usually focuses statistically on the potential impact of a risk on the financial statements. Wells Fargo’s risk team knew that hundreds of employees per year had been fired for violations of account opening rules; but it only saw a problem that affected fewer than one percent of the bank’s employees, and that the amounts involved in each case were quite small.
Seeing a problem involving (relatively) modest numbers of employees and sums of money, Wells Fargo saw a modest problem. A team with a focus on integrity would likely have seen a fundamental problem and appreciated the ways in which the problem could snowball.
The critical lesson: Compliance and Ethics is different from ERM, even though the two areas overlap.
Third, to the extent that it saw problems, Wells Fargo focused its efforts on firing employees who broke rules, not on requiring integrity. Management knew that some employees were opening accounts fraudulently, and that some supervisors were encouraging them. Some senior executives in the Community Bank recognized that its sales incentive system encouraged the bad conduct and argued for change. But the senior leaders “were concerned that tightening up too much on quality would risk lowering sales … [and] were reluctant to take steps that … might have a negative impact on … financial performance.” Senior leaders waited until unethical behavior blew up into a crisis.
The critical lessons: Every employee at every level must know that her boss requires ethical conduct and compliance.
Companies must create incentives for good conduct and avoid incentives for bad conduct.
Finally, Stumpf gave deference to Tolstedt and hesitated to dig deeply. The Community Bank was very profitable and Stumpf considered Tolstedt the “best banker in America.” As a result, she was not scrutinized carefully, was allowed to restrict communication, and was given deference in decision-making, even after account problems became known at the corporate level and Los Angeles County sued Wells Fargo over fraudulent accounts.
The report complains that management withheld information from the Board, but reveals that directors failed to push to get the whole story. Last Tuesday, the directors endured a humiliating annual meeting where many were barely re-elected. They will face tremendous pressure in the coming days and weeks.
The critical lessons: There must be one standard of conduct; important or successful people can’t be allowed to get away with bad conduct.
Directors can’t be passive about compliance and ethics.
For businesses – and their leaders – the cost of bad conduct can be astronomical. An investment in learning and applying essential principles of compliance and ethics programs will provide a great return by significantly reducing the risk of expensive and career-killing disasters.
Wells Fargo and the Dangers of One-Way Incentives
Wells Fargo CEO John Stumpf will tell you his company had tone at the top. As its problems with “phantom” accounts persisted for years, it promoted its values and repeatedly urged employees to do the right thing. But the Wells Fargo board just revoked $41 million of Mr. Stumpf’s equity awards. The board set up a new independent investigation, which will further distract management, and which is so independent that Mr. Stumpf will receive no salary while it continues.
Tone is nice. Incentives aligned with ethical – and profitable – conduct could have been better. What can your business learn from Wells Fargo’s experience?
Aggressive cross-selling was an imperative from the top. Front line employees had to open accounts to meet their – and their bosses’ – sales targets and to earn their – and their bosses’ – incentive compensation.
Wells Fargo employees opened 2 million or so fake accounts. Customers lost money, endured hassle and possibly had credit scores cut. As Holman Jenkins points out in The Wall Street Journal, Wells Fargo itself lost money. It incurred the expense of opening and closing millions of accounts on which it made no profit. Like much illegal activity by employees, these “bad acts” were a dead weight loss for the bank.
Yet, when the government announced $185 million in fines, Wells Fargo initially insisted that its sales incentives had nothing to do with the bad behavior. Its manuals and memos required that accounts be opened properly. Then came press reports on sales meetings in which executives told employees not to cheat customers, immediately followed by instructions from supervisors to ignore what was said in the meeting and to do “whatever it takes” to get accounts open.
After fines, bipartisan outrage from Senators, and the opening of multiple criminal investigations, Wells Fargo is now cutting incentives and suspending much of its famous cross selling.
Is that the right response? Is it possible to align incentives with business results?
People respond to incentives. If you incentivize accounts, you get accounts. Wells Fargo evidently failed to incentivize compliance and profitable accounts, and didn’t have negative incentives, especially for executives. So manuals, memos, and visits from Corporate were its only tools to convince employees to open legitimate (and potentially profitable) accounts.
Employees don’t care what “suits” from Corporate say – they care what their bosses want. What were the bosses’ incentives? Was there a reward for managers whose teams had few unauthorized accounts? Did executives whose teams opened “bad” accounts lose compensation? In principle, the sanction for bad behavior was termination, but people were also fired for failing to meet their sales goals.
Making matters worse, employees who tried to point out the perverse incentives were branded as negative or not team players. There was evidently no channel through which Mr. Stumpf or the board could learn that the imperative of cross-selling more accounts was leading to trouble. Many new lawsuits are claiming retaliation.
To manage your company’s risks effectively, calibrate incentives for both the ends and the means. Include negative incentives. Involve and empower someone who understands compliance risks to be influential at the most senior levels. Then apply incentives consistently to compliance and other business risks — and make sure they stick all the way up the chain of command.
Finally, build a culture that welcomes and pays attention to challenges. As I’ve written elsewhere, it’s easy to deride anyone who questions imperatives from the top, thus missing chances to correct mistakes before they become disasters.
If you can do these things, you can enhance profitability and dramatically reduce your risk of quality time with regulators, prosecutors and Senators.
© 2016 David B. Jaffe
All rights reserved
Photo Credit: iStock.com/klibbor.
Europe Moves to Require Compliance Programs – Implications for Business in Europe, the U.S. and Beyond
Businesspeople in continental Europe could be forgiven for wondering if the compliance program is an Anglo-Saxon conspiracy. The modern compliance program originated in the United States with the Federal Organizational Sentencing Guidelines, which include standards for and benefits of an “effective compliance and ethics program.” The United Kingdom picked up this theme, even providing a defense to criminal charges under its Bribery Act for companies with “adequate procedures” to prevent bribery, and a crime of failing to prevent bribery. “Adequate procedures” are a lot like a U.S. compliance program.
Continental European companies have created or enhanced compliance programs after encounters with the American criminal justice system. Siemens of Germany and Alcatel and Total of France are just three of the more (in)famous examples. But for these companies, the impetus for compliance programs has not come from home, but instead from American prosecutors enforcing U.S. law.
Last year, Spain adopted a new criminal code that includes a “compliance program” defense for certain crimes and France adopted “recommended” guidelines for anti-bribery compliance programs. In recent weeks, Spain announced guidelines for compliance programs and France began work on a new anti-corruption law that will reportedly require many companies to establish compliance programs. (The text of the proposed law has not yet been published.) Both Japan and Brazil have recently issued guidelines for anti-bribery compliance programs.
Companies should not take comfort from the “voluntary” nature of the guidelines. It’s true that there is not a legal penalty for failing to have a compliance program. But if your company is caught breaking the law, the likelihood of prosecution and the penalties assessed are much greater for companies without programs that prosecutors consider effective. Not to mention that an effective compliance program will make it less likely that your company breaks the law in the first place.
For multinational companies, wherever they are based, compliance programs become more important as more countries impose requirements. American multinationals will want to make sure that their programs comply with the requirement of each country in which they work. European companies, especially those without major U.S. activities, may have put off focusing on a compliance program because the issue seemed far away, but now find themselves needing to put more focus on developing and implementing them. Companies from other parts of the world may now increase their focus on compliance and compliance programs.
As more countries increase their enforcement efforts, companies can expect to face multiple prosecutions for the same actions. On February 19, VimpelCom, a mobile phone company based in the Netherlands, agreed to pay $397 million to the U.S. for Foreign Corrupt Practices Act violations, and an additional $397 million to the Dutch government for the same activities. In a speech on March 4, 2016, Leslie Caldwell, head of the U.S. Department of Justice’s Criminal Division, explained that prosecutors in 10 countries were directly involved or “provided significant assistance” in this case.
It is exponentially more expensive and challenging to investigate and defend allegations in multiple countries. Ms. Caldwell acknowledged that “in many cases multiple regulators each seek to prosecute companies and individuals . . ., sometimes for what essentially amounts to the same or closely related conduct. We recognize that this raises legitimate questions about fairness.” The cost of investigating and defending several investigations in several countries is itself exponentially greater than the cost of responding to one agency from one country. As Ms. Caldwell put it, “companies that voluntarily operate in multiple countries certainly know that by doing so, they subject themselves to those countries’ laws and regulatory schemes.”
The bottom line: any company that operates in multiple countries should be building or enhancing its capability in the world of compliance and its formal compliance program.
Although each country has its own spin on what makes a compliance program effective, they use complimentary concepts and, for now, there are not major contradictions among them. One critically important common element is that a compliance program must be built as a real part of the company’s culture, and not just a paper exercise.
The trend toward requiring formal compliance programs is likely to spread, just as antitrust and anti-corruption enforcement have spread around the world. As it does, the importance of building and implementing an effective compliance program will only grow.
Can Your Company Have a Flint Water Crisis?
This story originally appeared in DBusiness:
The harm done to the residents of Flint from contaminated water will be hard to remedy. The state and federal government agencies and people involved in the decision to deliver that water — even with evidence that it was dangerous — won’t suffer from the effects of lead poisoning, but they have created major problems for themselves. The flow of criticism of the EPA, Gov. Rick Snyder and his team, the Flint City Council, and the litigation, will not be easily stanched.
Unfortunately, disasters like the Flint water crisis also strike many businesses, including companies that are well run by well-intentioned people. Much has been written about the politics of the Flint water crisis; this article will focus on the business lessons to be learned.
Typically, these stories begin with an imperative from the top. Sometimes it’s about adding functionality to a product, but usually, as in Flint, it’s about cutting costs. In many companies, employees perceive a clear message from leadership that the initiative is essential and not to be blocked. The initiative is often implemented quickly without adequate study, while leaders dismiss or ignore information suggesting potential problems.
Flint rushed to disconnect from Detroit’s water supply. In a company, it might be a
cost-cutting initiative that looks good on the surface, but once enacted, it damages your equipment, releases dangerous chemicals into the environment, or makes your product unsafe. Other initiatives can create the same effect. Sales might suggest contributions to favorite charities of influential officials. If you don’t find out whether the contributions benefit the officials, you create an expensive Foreign Corrupt Practices Act problem.
These scenarios really happen in business, and in a stunning number of cases, create a debacle that hurts people, the bottom line of the company and the careers of those involved. For example, Enbridge employees ignored alarms before its 2010 oil spill into the Kalamazoo River. BP had a culture of resisting safety concerns before the Bridgewater Horizon explosion, also in 2010. Charitable contributions were part of Stryker’s costly 2013 Foreign Corrupt Practices Act case.
Why does this happen, and how can you prevent it from happening to your company?
Don’t just do something, stand there — and think.
Business emergencies require analysis that is both careful and candid. If you as the leader insist on immediate action without rigorous and intellectually honest study, you’re sending a message that any action is sufficient — even if it causes more harm than good. Flint had never sourced water from the Flint River, yet the decision to do so was made quickly, without thinking through the risks or how to mitigate them. The leader must allow — and require — an analysis that challenges the initiative and the assumptions behind it.
Don’t shoot messengers
When leadership puts out an imperative, it takes courage to challenge proposals, especially after senior leaders express support. Once implementation has begun, it takes even more courage to point out problems. Leaders’ urgency, and their egos, can neutralize important information.
When leaders rush to try something new, they need information about potential problems quickly. Unfortunately, there’s a natural tendency in organizations to defend the initiative and dismiss challenges. In Flint’s case, people who questioned why the water was brown and smelly received “a persistent tone of scorn and derision.”
To get information where it needs to go, you need a culture in which questions and challenges are accepted and encouraged. What happens in an organization when someone challenges a leader’s initiative? If the company’s culture brands this person as “negative,” bad initiatives won’t be challenged, even if the flaws are glaring. Unless challenges are made and considered objectively, the risk of a Flint-like failure is high.
Leadership requires courage
If it takes courage to challenge an important initiative, it takes as much courage for a leader to address the challenge openly and honestly. Leadership comes with a responsibility to be the person who makes sure that business decisions are sound, especially when demands of the board, stock analysts, or the CEO are loud. The consequences of failing to respond instantly may seem dire.
But the consequences of allowing a dangerous mistake to be made and to continue uncorrected are truly disastrous. Companies needs a culture in which important decisions get analysis, and challenges are not dismissed. Leaders need the courage, commitment, and skills to build and live that culture.
Lessons from the Chicago Police Shooting
In the wake of the videotaped shooting of Laquan McDonald, the U.S. Department of Justice
recently announced an investigation of the Chicago Police Department. In addition to the shooting itself, Justice will investigate more broadly, including whether additional officers failed to report – or actively covered up – wrongdoing by Officer Jason Van Dyke.
As a business leader, you run a company, not a police department. Your employees don’t carry guns on the job. What does this have to do with you?
Suppose one of your employees hears that financial performance is weak, and decides to help his bonus pool by sending hazardous waste off with an unlicensed carrier for dangerous, but cheap, disposal. Do you want to hear about this from another employee after the first illegal shipment, or from the Environmental Protection Agency after the hundredth? If an employee gets business by paying a bribe, keeps production moving by ignoring lockout-tagout rules, or starts talking pricing with your competitors, will you find out before a prosecutor or plaintiff’s lawyer does?
It’s sometimes said that police department cultures encourage officers to protect one of their own who does something wrong, rather than the organization or the public.
Does your business’s culture encourage the same?
It’s a truism that the cover-up is worse than the crime, and this is certainly true in business compliance. You depend on employees to keep a bad situation from spiraling out of control, but building a culture in which employees come forward is a major challenge for business leaders. Assess the risks your business faces by considering these points:
1. Do your business leaders include compliance when they talk about business goals?
As I’ve written before, leaders must have an open dialogue and be comfortable explaining why doing the right thing is a sound business decision.
2. Are your discussions of compliance all threats and no incentives?
Employees should see your encouragement of “right” behaviors as a common effort, not an attempt by leadership to line up scapegoats.
3. Do you have an effective policy and practice of no retaliation?
If employees feel that they will be punished for asking questions or for reporting something that’s wrong, they are less likely to come to you. Cynicism will build, and whistleblowing will look attractive – and virtuous.
4. Do you provide several ways for employees to ask questions or report wrongdoing?
Some companies require employees to report all problems up through the chain of command; but, this creates a huge risk of intimidation and retaliation. Instead, give employees several options, including a way to report anonymously, to increase the odds that the employee will feel comfortable communicating with the company.
5. Are the people who might hear reports active listeners who know what to do?
Some employees might report wrongdoing very directly, but most will begin indirectly with a question or a hint to test the company’s reaction. It’s critical that management, HR, in-house lawyers and compliance personnel know how to recognize when an employee is trying to communicate a concern, ask the right questions, and start acting on the intelligence – preferably without making the employee feel that he or she has started a huge firestorm.
Many criminal prosecutions and expensive class-action lawsuits began with small problems. These proceedings go very badly for companies that ignored, or worse, stifled, employee concerns. You can manage the risk of small problems becoming enormous liabilities by improving your compliance culture and reporting process.
What Business Leaders Should Learn About Compliance Programs from the Volkswagen Scandal
This story originally appeared in the Detroit News:
In the wake of the Volkswagen emissions scandal, there has been a lot of discussion about whether the VW CEO knew about the software invented to cheat emissions tests and who in the company is to blame.
The answers may not be black and white, even once the inevitable investigations are complete. But VW’s multi-billion dollar compliance failure shows that the software’s creators did not believe company leadership expected them to act with integrity. If they had, VW would have complied with the law and would not be in this mess.
What should business leaders learn from VW’s experience?
As businesses grow, especially as they expand operations overseas, the risk and potential cost of a compliance failure also grows. Employees are more distant from company leadership, making it easier for them to rationalize an unethical shortcut (like the VW software). Employees may even begin to believe that “minor” violations are necessary for both personal and company success.
The U.S. government expects companies to have formal compliance and ethics programs to prevent and detect wrongdoing.
A good compliance program brings two key benefits to a company. First, if an employee commits a crime or “minor” violation, prosecutors may see that employee as a “lone wolf” and level a reduced charge or penalty against the company, or possibly decline to prosecute. Second, and perhaps more important, an effective compliance program will prevent violations from being committed in the first place.
It’s well and good to have a “less bad” conversation with a federal prosecutor, but it’s much better to never have the conversation at all.
What makes an effective compliance program? There are technical legal requirements, and there’s a cottage industry devoted to writing compliance programs and codes of conduct. But the key to compliance is the approach that the company’s leaders take.
The most important influence on how employees will act is their perception of their immediate boss’ expectations. If the boss sets the expectation that compliance failures will not be tolerated, then employees will be less likely to fail. If standards of behavior are left solely to “compliance professionals,” the message to employees will be mixed at best.
This means that an effective compliance program ultimately depends on building a culture of open communication about doing the right thing.
It takes more than online training explaining technical rules or a CEO sending a staff-wide email. When employees are faced with an opportunity to make a big mistake, the company needs them to ask questions. Leaders must have an open dialogue with employees and be comfortable explaining why doing the right thing is a sound business decision.
Compliance programs vary from company to company, and certainly have to meet technical legal requirements. But no matter the industry or company size, the compliance program must have an impact on company culture to achieve its objectives. When implemented correctly, these programs can save a company huge sums. Failure can be very expensive — as VW is finding out the hard way.