When Culture Can Be a Corporate Cancer

“It is better to ask forgiveness than permission.” If there is one phrase that should be permanently deleted from the lexicon of the business world, this is the one. The statement is categorically false, both conceptually and legally. The pervasive nature of this attitude, engrained into the psyche of far too many business leaders by the pressures of the competitive world and investor expectations, is a tumor that, try as they might, policymakers and regulators have been unable to excise from the body of commerce for decades. In a March 9, 2016, updated article in the Wall Street Journal, that publication noted that banks have paid $110 billion in penalties relating to the housing crisis since 2010. That is slightly less than the 2016 GDP of Kuwait and more than the GDP of Puerto Rico. That’s right, there are many nations in the world whose total annual gross domestic product is less than the fines paid by banks to federal and state governments and other remedial payments imposed by federal and state enforcement agencies. While an expenditure of such magnitude would plunge many countries into default, these financial institutions continue to do business, continue to make loans and continue, at least in some instances, to engage in illegal and fraudulent activities. This compliance thing isn’t working so well, is it? As we move to a new administration in Washington, there is talk about how to unwind various provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”). Some of the recommendations that would particularly benefit smaller financial institutions should be seriously considered. But the discussion in Congress needs to encompass the scope of issues raised by financial oversight laws over the past two decades – and that includes Sarbanes-Oxley. The various compliance mandates included in that law have not produced the desired results. To be sure, companies have Codes of Ethics and Business Conduct, various training programs to comply with state mandates, anonymous reporting hotlines, and “tone at the top” structures that pass audit standards. From what we have seen over the past several years, however, the auditability of compliance should no longer be synonymous with the effectiveness of compliance. See also: Building a Strong Insurance Risk Culture   As enterprise risk management (ERM) structures become more sophisticated, regulated businesses are at risk of reducing the “ethics” part of compliance. As a law professor once said to me, law schools don’t teach people how to be ethical; they teach people the ethical expectations of the profession. This is referred to as the “tone at the top” in most compliance documents. And yet, per PwC’s State of Compliance Study 2016, while 98 percent of PwC’s survey respondents stated their firms “have senior leadership that is committed to compliance and ethics,” 55 percent stated, “senior leadership provides only ad hoc program oversight or delegates most compliance and ethics oversight activities” and only a meager 36 percent of compliance officers stated they are “inherently integrated” or “play a key role” in strategic planning. A similar observation can be made by reviewing Accenture’s 2016 Compliance Risk Study, Compliance at a Crossroads: One Step Forward, Two Steps Back? Among its observations was, “…only 31% of Compliance functions represented by our 2016 Compliance Risk Study respondents now report to the CEO, representing a 9 point fall over the 2014 level.” Accenture also notes, "The demands on Compliance have potentially resulted in the function struggling to clearly articulate its role within the organization and how it can benefit the Chief Executive Officer (CEO).” As for “tone at the top,” consider the finding in Deloitte/Compliance Week’s In Focus: 2015 Compliance Trends Survey: “Despite the role culture plays in creating an effective compliance program, culture assessment ranked dead last among the responsibilities CCOs have.” These results point to a continuing dilemma. Sarbanes-Oxley (SOX) and Federal Sentencing Guidelines have been around for decades. ERM is relatively a newer regulatory/audit structure, as is the Own Risk Solvency Assessment (ORSA) for insurers, while corporate governance initiatives are the most recent. Each, however, depends on the other. Thus, while it would seem axiomatic that legal and regulatory compliance and business ethics are risk elements and should be fully integrated with all other business processes, clearly, they are not. This ambiguous status is further exemplified by the recent trend of outsourcing compliance, a trend that causes the Securities and Exchange Commission (SEC) some angst. [See: Risk Alert, Examinations of Advisers and Funds That Outsource Their Chief Compliance Officers (November 19, 2016), Securities and Exchange Commission Office of Compliance Inspections and Examinations (OCIE)] As noted in its 2016 publication, Risk in Review - Going the Distance, PwC found that 78 percent of survey respondents said that senior management, “wants a more forward-looking view when it comes to compliance”. Yet, only 27 percent said they had adequate resources to protect the company from compliance risks. We expect businesses to comply with laws and regulations, and we expect executives to behave ethically. But in the evolving metric-driven environment in which ERM and corporate governance exist, we are straining to peg a value to compliance and ethics. SOX, Dodd-Frank, ERM, and other corporate governance initiatives have as their objective driving businesses to make better and more transparent decisions and in so doing protect investors and consumers. But compliance and ethics also require an environment that encourages everyone in the enterprise to say, “Wait a minute…”. See also: Does Your Culture Embrace Innovation?   On Wednesday, January 11, 2017, Volkswagen AG and affiliated Defendants entered a Third Partial Consent Decree and Plea Agreement over criminal violations arising from its diesel automobile program. Part of the Consent Decree requires the appointment of a third-party Compliance Monitor. The Plea Agreement states that the qualifications to be the Compliance Monitor include, “experience designing and/or reviewing corporate ethics and compliance programs, including anti-fraud policies, procedures, and internal controls”. That same day, Forbes Magazine headlined its article on the settlement, “Volkswagen Shares Jump As It Nears U.S. Dieselgate Settlement.” The contributor tweeted, “Volkswagen’s emission scandal is a rare example where failure eventually results in success.” No mention was made of the Compliance Monitor.