In a compliance meltdown, failure is on such a massive scale that it can put the company in peril of dissolution. Reputation is lost, customers and suppliers avoid the organization, talent leaks away and the business is starved of the fuel it needs. In the most severe cases, the entity ceases to function, as happened at Arthur Andersen & Co. Most cases are not fatal, but they still send the entire senior management team into crisis mode. Needless to say, legal counsel find themselves on the front line. For those inside the company, it is not just a matter of investigating and settling, but also of putting in place new practices to better detect and avoid compliance disasters in the future.
In a meltdown, there are no second chances. The consequences of another failure after settlement are so severe that no matter what effort goes into investigating and settling, success only comes from real and lasting changes in how people go about their daily tasks. This is not only to avoid, for example, the call option on a deferred prosecution agreement, or to satisfy a monitor from the Securities and Exchange Commission. People inside the organization need to feel that they have a chance to make a clean break and not be brought low again with more bad news.
In November 2006, after a raid by German police on its offices in Munich and elsewhere, Siemens faced a crisis that eventually resulted in the largest-ever settlement under the (U.S.) Foreign Corrupt Practices Act. This was a road not traveled before and not as yet understood. The company needed to quickly get to the bottom of the situation and show that it was resolving matters; otherwise, it risked losing significant parts of its business. As a supplier of capital projects like rail systems and power generation and transmission equipment, Siemens relied on the same governments that were now pursuing the company for breach of anti-bribery rules.
By the time the company completed its investigation in 2008, $1.36 billion in questionable payments had been identified, an SEC monitor had been installed, and fines totaling in excess of $1.6 billion had been imposed. The cost in external fees and management attention was a multiple of this amount.
What follows are five critical lessons learned, from real-life experience inside the company, about preventing your company from going off the rails a second time.
Put Discipline Before Risk
In a compliance meltdown, speed and thoroughness are at a premium. So forgo the risk assessment and move quickly to install new operating procedures. Siemens immediately created what it called an Anti-Corruption Compliance Toolkit and required every operating unit in the company to implement it. Then internal auditors were dispatched to see whether this had been implemented.
There followed formal quarterly reviews between a compliance officer and each business unit. There were no exceptions, and this is how discipline was inculcated in the organization. Even the internal audit unit met with its compliance officer. Eventually, these systems and reviews were refined to throw up fewer false positives. But it is more important to establish discipline, and quickly.
Do Whatever It Takes to Get Your Arms Around the Data
Use the power of today’s information technology for smart aggregation and analysis of data. If you don’t put this in the hands of your compliance and audit teams, they cannot ask important questions such as: “What types of suppliers are we sending payments to?” “Which ones are ‘natural persons’?” “Which suppliers are set up ‘out of country’?” None of these questions touches on practices that are inherently improper, but they were all questions we had reason to ask. And without capturing data centrally and systematically, such questions simply cannot be answered.
Invest in people who can get your data to speak to you. We built a team within the audit unit who were skilled at combing through information systems and extracting data so it could be analyzed swiftly and accurately. No audit function can operate seriously without these skills today.
Respond Fairly but Quickly When New Issues Arise
Speed and care are needed when a new allegation arises. Full disclosure and a heavy-handed response to a false allegation can be just as damaging to the business as failure to act clearly and promptly. It helps to think through the issues and have a framework ready in advance to answer such questions as:
“How and when do we involve management in the reporting line?”
“What level of diligence is appropriate and what are the appropriate internal sanctions?”
“How do I advise a senior executive who is relying on representations from someone who is under investigation?”
To get this right, do not put these calls in the hands of inexperienced professionals. And make sure you team up your legal experts with your risk and governance professionals.
Two innovative and effective mechanisms that Siemens used during its internal investigation were an amnesty program and a leniency program. Both rewarded people for coming forward promptly with information. As new information arose, we were able to look back and ask whether the individuals had fully disclosed all their pertinent information. If not, this was a clear and serious breach of their agreement.
Fight ‘Paper Compliance’
Some people use policies and checklists as a substitute for taking responsibility and exercising judgment. When middle management no longer thinks beyond the checklist, then a vital element of the control environment has broken down.
In my first month at Siemens, a business unit manager called me because he wanted to refuse an employee’s request to take another paid position outside the company.
The employee would not explain what the second position was and why there would be no conflict with his Siemens work. Therefore, the manager’s refusal was entirely appropriate. He had exercised his due diligence, but he still felt unwilling to make the call without an approval from the audit department. But while a desire to consult is undoubtedly part of a strong control culture, a fear of taking the decision after having done one’s own due diligence is a warning sign that paper compliance is on the rise and people are overly concerned with “checking all the boxes.” When management sees this happening, it is time to rethink the messages the company is sending and possibly even to revisit its reward systems.
Invest in Quality
If lasting change is what you need, make sure you find people who have traveled down this road before and know what they are doing, and do not under any circumstances sacrifice quality for speed. It is great to show the board that you have moved ahead and fully staffed a new compliance department within the first month, but if these personnel turn out to be reconditioned junior staff who can follow a process but not add insight, then it is a false gain. Better to lean on an outside expert for a while longer to make up the numbers while you keep looking for quality. High-quality people who can add value will want to advance their careers, so when hiring, make sure you can credibly offer this opportunity. Of all the things we did at Siemens, this was the most challenging, the most fun and ultimately the most crucial to rebuilding the company.
This article first appeared in Corporate Counsel, a Legal affiliate based in New York. •
Anthony O’Reilly spent four years as the partner for quality in the corporate finance audit division at Siemens AG in Germany, rebuilding the company’s corporate audit group following the bribery allegations and settlement in 2008. Prior to this he was a partner at PricewaterhouseCoopers.