When Business Supersedes Compliance – A Recipe for Disaster
When looking through the wreckage of a major corporate compliance disaster, it is relatively easy to spot the important events when business needs (or money) are consciously elevated over compliance concerns or even reputational risks. It is easy to spot the circumstance, and with perfect hindsight announce to everyone (assuming someone is listening) that you would not have followed that course of action.
In the ethics and compliance profession, I hear often from compliance doctrinaires that business decision should “always” include ethical considerations or that business decision-makers should “never” be allowed to make decisions “on their own.”
Everyone understands this perspective and from a rearview vantage point it makes a lot of sense. But there is more to the story than just bringing in a compliance professional to the room and letting him or her participate in a “business decision.”
Bear with me a few paragraphs and let me set up my point.
Let’s consider one of the more instructive cases of this year – VimpelCom, when senior executives who knew that the shell company they were dealing with included the daughter of the President of Uzbekistan. In other words, the senior executives knew they could never get company approval for the transaction if they disclosed the hidden ownership interests that were being used to funnel large bribes. As a result, senior executives lied and deceived other senior executives, the board and outside counsel about the nature and terms of the proposed transactions.
In these circumstances, what difference would the presence of a CCO in the transaction have made? At first glance, you may say no difference because the executives would have maintained the lie to the CCO. That is too simplistic an answer. In fact, I would argue, the presence of the CCO may have led to the fundamental question that everyone involved in the transaction ignored – who in fact were the beneficial owners of these companies? Everyone in the room either deliberately ignored this basic question or intentionally knew it was a daughter of a government official. A CCO may have asked the right question and disrupted the attempt by the board and senior executives to move forward with the transactions.
Another recent example underscores this point. Assume that the CCO of Wells Fargo was aware of the plan to implement the new sales initiative by bank branches to increase the number of accounts and credit cards opened by bank customers. When discussing the sales incentives, I am sure the CCO would have raised some of the risks that were created by this initiative. Even assuming the bank decided to move forward with the program, the CCO would have recommended or proposed monitoring and auditing policies to keep on top of the program.
Even if the CCO was not in the room at the time this program was considered, it is easy to imagine a CCO’s response to the complaints that were made by employees on the internal hotline about the program and the need to address the problem. Assuming that the CCO only had access to this information, and assuming the CCO had independence and adequate authority, it does not take much to imagine the CCO’s response.
My point is that it would not take much for a company to protect itself from catastrophic decisions and actions that appear to ignore any compliance consideration. A good short-hand for this need is that companies need to inject ethics and compliance considerations into their business decision-making process.
I am sure business people will roll their eyes or snicker at this mild suggestion but the reality is that a lot can be gained by a little bit of change – meaning that a company’s course of conduct may avoid serious risks by injecting a new but important voice into the process. Looking back at the wreckage of VimpelCom and Wells Fargo, I can easily imagine what senior executives would have said if we were able to go back in time and offer them a minor suggestion – that the CCO be in the room when VimpelCom and Wells fargo made their fateful decisions.
Great website and stories!!
“I can easily imagine what senior executives would have said…” In the case of Wells Fargo they wouldn’t hear that suggestion and two days later it would be discovered that you had violated some rule and were no longer with the bank.
Compliance has to come from the top down. If as the employee responsible for compliance, you get no support, have no authority and are undermined, there will be no, or only spotty, compliance.