In a compliance meltdown, failure is on such a massive scale that it can put the company in peril of dissolution. Reputation is lost, customers and suppliers avoid the organization, talent leaks away, and the business is starved of the fuel it needs. In the most severe cases, the entity ceases to function, as happened at Arthur Andersen & Co. Most cases are not fatal, but they still send the entire senior management team into crisis mode. Needless to say, legal counsel find themselves on the front line. For those inside the company, it is not just a matter of investigating and settling but also of putting in place new practices to better detect, and avoid, compliance disasters in the future.
In a meltdown, there are no second chances. The consequences of another failure after settlement are so severe that no matter what effort goes into investigating and settling, success only comes from real and lasting changes in how people go about their daily tasks. This is not only to avoid, for example, the call option on a deferred prosecution agreement, or to satisfy a monitor from the Securities and Exchange Commission. People inside the organization need to feel that they have a chance to make a clean break and not be brought low again with more bad news.
In November 2006, after a raid by German police on its offices in Munich and elsewhere, Siemens faced a crisis that eventually resulted in the largest-ever settlement under the (U.S.) Foreign Corrupt Practices Act. This was a road not traveled before and not as yet understood. The company needed to quickly get to the bottom of the situation and show that it was resolving matters; otherwise it risked losing significant parts of its business. As a supplier of capital projects like rail systems and power generation and transmission equipment, Siemens relied on the same governments that were now pursuing the company for breach of antibribery rules.
By the time the company completed its investigation in 2008, $1.36 billion in questionable payments had been identified, an SEC monitor had been installed, and fines totaling in excess of $1.6 billion had been imposed. The cost in external fees and management attention was a multiple of this amount.
What follows are five critical lessons learned, from real-life experience inside the company, about preventing your company from going off the rails a second time.
Lesson 1: Put discipline before risk.
In a compliance meltdown, speed and thoroughness are at a premium. So forgo the risk assessment and move quickly to install new operating procedures. Siemens immediately created what it called an Anti-Corruption Compliance Toolkit, and required every operating unit in the company to implement it. Then internal auditors were dispatched to see whether this had been implemented.
There followed formal quarterly reviews between a compliance officer and each business unit. There were no exceptions, and this is how discipline was inculcated in the organization. Even the internal audit unit met with its compliance officer. Eventually, these systems and reviews were refined to throw up fewer false positives. But it is more important to establish discipline, and quickly.
Lesson 2: Do whatever it takes to get your arms around the data.
Use the power of today's information technology for smart aggregation and analysis of data. If you don't put this in the hands of your compliance and audit teams, they cannot ask important questions such as: "What types of suppliers are we sending payments to?" "Which ones are 'natural persons'?" "Which suppliers are set up 'out of country'?" None of these questions touches on practices that are inherently improper, but they were all questions we had reason to ask. And without capturing data centrally and systematically, such questions simply cannot be answered.
Invest in people who can get your data to speak to you. We built a team within the audit unit who were skilled at combing through information systems and extracting data so it could be analyzed swiftly and accurately. No audit function can operate seriously without these skills today.
Lesson 3: Respond fairly but quickly when new issues arise.
Speed and care are needed when a new allegation arises. Full disclosure and a heavy-handed response to a false allegation can be just as damaging to the business as failure to act clearly and promptly. It helps to think through the issues and have a framework ready in advance to answer such questions as:
- "How and when do we involve management in the reporting line?"
- "What level of diligence is appropriate and what are the appropriate internal sanctions?"
- "How do I advise a senior executive who is relying on representations from someone who is under investigation?"
To get this right, do not put these calls in the hands of inexperienced professionals. And make sure you team up your legal experts with your risk and governance professionals.
Two innovative and effective mechanisms that Siemens used during its internal investigation were an amnesty program and a leniency program. Both rewarded people for coming forward promptly with information. As new information arose, we were able to look back and ask whether the individuals had fully disclosed all their pertinent information. If not, this was a clear and serious breach of their agreement.
Lesson 4: Fight "paper compliance."
Some people use policies and checklists as a substitute for taking responsibility and exercising judgment. When middle management no longer thinks beyond the checklist, then a vital element of the control environment has broken down.
In my first month at Siemens, a business unit manager called me because he wanted to refuse an employee's request to take another paid position outside the company.