Misconduct by employees on a scale that leads to the imposition of a monitorship will often find its roots in a flawed or dysfunctional corporate culture. The best gauge of a monitor's success will therefore often be its ability to help the company successfully reform its culture and by doing so avoid the perils of recidivism. This is a particularly difficult challenge, which requires an in-depth understanding of the company's formal articulation of its approach to compliance as well as how it executes those ideals. In other words, while management and compliance programmes set official policies regarding what should happen at a company, '[c]orporate culture determines what actually happens, and which rules are obeyed, bent, or ignored'.2 Further, because the failure of a corporate culture to embrace compliance may be what leads to the imposition of a monitor, the yardstick for successful remediation is often the degree to which the culture of the monitored entity has improved since the original misconduct. The role that a monitor can play in effecting that type of cultural change is, in many ways, the unifying theme of this guide.
To be sure, sometimes, when a corporation engages in unlawful behaviour and finds itself on the receiving end of a monitorship, the misconduct was only committed by a few bad apples. But in other cases, the tree – or the whole orchard – may be rotten, in which case a few revised policies and revamped compliance processes will not be enough, and planting the seeds of cultural change becomes necessary. Although cultural change is a daunting task, with a monitor's help and guidance, not only can prosecutors and regulators be assured that the company is meeting its compliance responsibilities, the company itself can experience transformational change that leads to sustained, profitable and compliant growth.
Of course, fixing a broken culture is no easy task. A litany of business school case studies, scholarly articles, consultant engagements and criminal enforcement actions attest to the challenge. Edgar H Schein, who pioneered the concept of organisational culture, argued that culture is the most difficult aspect of organisational life to alter because 'it points us to phenomena that are below the surface, that are powerful in their impact but invisible, and to a considerable degree unconscious'.3 Despite these challenges, a monitor using the techniques described in this chapter is uniquely well suited to guide organisations through large-scale cultural change. Assuming a willingness on the part of senior management to address the cultural issues that led to the appointment of the monitor, a monitor can partner with an organisation to address cultural change while still maintaining the ability to independently hold the organisation to account. This is because a monitor brings an external perspective to the table, one that is not invested in how things were done in the past, and is able to see the full picture and illuminate problems that need fixing.
As noted in several of the following chapters, regardless of whether the government enforcement authority views the imposition of a monitor as a form of deterrence to other organisations that may be contemplating similar types of misconduct, the underlying goal of the monitor should never be to effect additional punishment for the company's wrongdoing, but rather to guide the organisation along the path to sustainable change, and to help it avoid repeating its previous mistakes long after the monitor is gone. As a result, a successful monitorship cannot be fully determined on the eve of its termination; rather, we must look at where the organisation is five or 10 years down the road. To ensure that the organisation is on the road of compliance rather than recidivism, a monitor should take a proactive role in partnering with management to improve or transform the organisation's culture of compliance.
Not every instance of corporate wrongdoing leads to a monitorship that will require efforts to reform the company's culture. In some instances, the underlying causes of the misconduct that led to the imposition of the monitorship are not systemic, and in others, the cultural infirmities that led to the misconduct have been addressed by pre-settlement remediation efforts. In these instances, a monitor enters a situation in which the few bad actors have already been tossed out, and while the organisation's policies and procedures may need to be further enhanced, its overall culture is relatively healthy. Thus, at the outset of the monitorship, it is vital to assess the current state of the company's culture. The monitor should examine the tone that is set not just at the top, but also in the middle of the organisation. The monitor must also look at the existing compliance framework and the organisation's proposed strategies to remediate any misconduct. The monitor should also evaluate the employees – not just who caused the misconduct but also who tried to rein it in. In addition to determining whether cultural change is necessary, this assessment helps to pinpoint which aspects of the company's culture potentially need to be addressed.
With that assessment complete, a monitor can then go about the difficult task of counselling the organisation through cultural change. In doing so, a successful monitor must develop a deep understanding of the company's business and financial objectives. Obviously, an organisation will not embrace cultural change if that means abandoning all hope of profits and growth. To the extent that some in the organisation complain that remediating the issues identified by the monitor will bankrupt the business, a monitor who understands the company's business will be best equipped to parry these charges, or help the company find suitable alternatives. A successful monitor can then obtain internal buy-in on the goals and means of cultural change, particularly from the leadership of the business itself. This includes leveraging and building upon pre-existing structures that can be used to foster compliance, as well as reinforcing consistent (and repeated) communication about compliance. These tactics will help management ingrain a new compliance-focused culture in a company by encouraging employees to become more personally invested in the process – a recipe for lasting change. A successful monitor knows that cultural reforms will have a short shelf life if they are imposed on an organisation against its will, hamstring the company's financial goals or never gain traction with the employees who remain at the company long after the monitor has moved on to the next engagement.
Is cultural reform necessary?
Every organisation experiences compliance breaches where responsibility legitimately rests on a few bad actors rather than a cultural failing. At times, rogue employees can circumvent even the best compliance programmes, but those incidents should be rare in a healthy corporate culture. When they arise, a robust compliance programme must detect the misconduct and then take swift and deliberate action to punish the wrongdoers, no matter their seniority. A healthy compliance culture learns the hard lessons from each compliance breach, and then uses those lessons to fortify the organisation's control framework going forward.
The monitor's first task is to assess whether an organisation's misconduct can be fairly attributed to isolated bad actors limited to a particular business unit or division, or whether the misconduct reflects deeper systemic failures across the organisation that can be traced to corporate culture.4 This assessment should be multifaceted, considering the tone set by management at the top and how that translates to tone in the middle; the company's compliance framework, including how it measures and incentivises compliance; the company's proposed remediation to violations of compliance policies and the law; and the company's existing personnel, particularly whether anyone involved in the misconduct remains at the company. Armed with this assessment, the monitor will know whether and to what extent cultural change is necessary and possible, and then begin the careful process of reporting those results to senior management, the board and the relevant governmental authority. It is absolutely essential to carefully educate the organisation's leadership of the monitor's findings rather than simply to impose them; if the monitor claims there is a culture problem, but has not marshalled the facts to demonstrate and convince leadership of the scope and severity of the problem, senior management will rightly criticise the monitor for overreach and make meaningful change all but impossible.
Assessing the tone from the top and the middle
Tone from the top, according to the Ethics & Compliance Initiative (ECI), a leading non-profit organisation focused on developing best practices for compliance programmes, is often considered to be the 'elusive but necessary condition for success' in creating a culture of compliance.5 No less important is whether and how middle management reinforces the tone set by senior management. Indeed, tone in the middle is particularly critical to assess given that middle managers typically have more extensive interactions with employees who will ultimately either embrace a culture of compliance or will not. As an initial part of the assessment, it is important to evaluate the reaction of both senior and middle management to the findings of the government's investigation (as well as any internal investigation), and to look at how management has communicated that reaction throughout the organisation, both formally (through town halls, email communications, etc.) and informally (such as in meetings and conversations between senior managers and their direct reports). Do senior and mid-level managers accept the facts made known to them through the investigative process and express a willingness to address them appropriately? Or do they seek to minimise the misconduct and claim they are the victims of overzealousness? In messaging employees, does management describe the settlement that created the monitorship as a wake-up call and catalyst for necessary change to the organisation? Or do they portray the monitorship as a burden and unfair punishment for the isolated misconduct of a few bad apples?
Consider these hypotheticals: in the first instance, on the heels of a large government sanction, the organisation's chief executive officer (CEO) sends an email throughout the organisation announcing his or her commitment to compliance and compliant growth as the company tries to turn the page on its troubled past; in the second instance, the CEO does not communicate to the bulk of employees at all, but complains to his or her direct reports that the government investigation was an overreaching 'witch hunt' that was conducted purely for political purposes in which the company was targeted for the same conduct undertaken by its peers, a message that those direct reports then funnel down through the organisation. Obviously, these very different approaches can have very different impacts on the organisation's cultural approach to compliance. Communications like these create a lasting impression, either positive or negative, that middle management echoes down to their teams. Where senior managers put their heads in the sand and refuse to acknowledge or understand the extent of the problems that led to the government sanction – and then communicate that resistance to the need for change down the chain – long-lasting cultural change will be very difficult to achieve. In contrast, senior managers who accept responsibility and recognise that change is necessary have likely already embarked on the path of change, making it far easier for the monitor to shepherd the company to broader and longer-lasting reform.
In making the assessment of tone at the top and in the middle, the monitor should examine a variety of media and communications. Email and written communications are the easiest to review, but the monitor should also attend key town hall meetings or gatherings where senior management communicates with a large number of managers and employees. Similarly, committee meetings of managers on areas that relate to the monitorship may also be fruitful in determining whether and how compliance-related communications have translated into running the business. The monitor can also learn a lot from initial and follow-up interviews with senior management, and selected interviews with managers further down the line.
Finally, the monitor should assess management's tone around compliance through management's day-to-day interactions with the monitor. To be clear, no snap judgements should be made in the initial days of the monitorship as management adjusts to the presence of a very foreign and unique presence within the organisation, but over time, the following questions may arise:
- Does management approach the monitor as a partner in improving the organisation, or more as it would treat an adversary in a hotly contested litigation?
- Is management transparent in communicating with the monitor, or does the monitor have to go to great lengths to obtain relevant information?
- Does management point out perceived compliance weaknesses to the monitor, or stay silent and hope that the monitor does not discover those weaknesses on its own?
The more cooperative and transparent management is with the monitor, the more likely that cultural reform has occurred, is under way or is unnecessary. Obstructive behaviour, however, should be regarded as a harbinger of trouble.
Assessing the compliance framework
The current state (and historical development) of a company's compliance framework also speaks volumes about its culture. A company's compliance framework shows how much the company values the importance of the compliance function to identifying and mitigating existential risks. A wealth of resources exist to help a monitor evaluate compliance programmes, including, to name a few, the Federal Sentencing Guidelines,6 the Justice Manual,7 the 'Evaluation of Corporate Compliance Programs' guidance from the Department of Justice's Fraud Section for the United States;8 and, globally, the Organisation for Economic Co-operation and Development (OECD)'s 'Good Practice Guidance on Internal Controls, Ethics, and Compliance'9 and its 'Anti-Corruption Ethics and Compliance Handbook for Business',10 or the International Organization of Standards (ISO) 19600 Compliance Management Systems guidelines.11 There is also no shortage of guidance to be found beyond these resources,12 and familiarising oneself with the basics of good compliance programmes is essential to ensure that a monitor can capably identify any gaps in the company's existing compliance structures, while also getting the necessary grasp on where the company is culturally.
As every corporate culture and monitorship is different, the compliance standards set forth in the literature cited above will only get a monitor so far, but there are certain common themes to examine.
First, the assessment needs to have the necessary scope and depth to avoid the common error of validating a programme that looks great on paper, but is not implemented effectively, and does not actually identify and mitigate risky behaviour.13 For example, consider an organisation with a strict global anti-corruption policy that forbids giving anything of value to a government official over $25 without advance written approval; conducts web-based anti-corruption training in 10 languages; has a third-party due diligence protocol; and requires internal audit to conduct periodic audits of corruption risk. On paper, this has all the hallmarks of a robust and effective compliance programme, and a monitor who relies on a handful of presentations and interviews may come away with the sense that there is little more to be done.
Although senior management may be relieved to receive a monitor's report to this effect, the monitor has done the entity no favour. A more diligent monitor would do a more careful assessment, which could include testing employees' understanding of the training, as well as auditors' understanding of relevant risks. Such a monitor would also assess whether the due diligence protocol and audit fieldwork are covering all relevant aspects of the business's day-to-day activities, and whether the compliance group is effectively monitoring conduct to make sure that it comports accordingly with the policy. In so doing, the monitor may discover that, although the company has a sound policy, its effectiveness is limited because:
- the policy is not effectively communicated or policed, and employees do not seek advance written approval;
- employees take the online training but report that it does not address the realities they see on the ground and is hard to follow;
- the third-party due diligence protocol leaves out critical swathes of high-risk third parties; and
- the periodic anti-corruption audits all come back 'clean' in part because the auditors who conduct them are not trained on how to identify corruption risks.
Such a programme might be a cultural red flag of putting form over substance when it comes to important compliance issues. A monitor can assess whether the programme is leading both internal and external stakeholders to believe that the organisation is doing the right thing, when the reality may be very much different.
In testing for 'paper' programmes, a monitor should consider what efforts the company is making to monitor compliance with its policies, to seek continuous improvements to those policies, and to investigate and discipline employees if policy breaches are detected. Among other things, the monitor can evaluate the effectiveness of compliance training by conducting or reviewing employee surveys or interviews to identify what information is (or is not) being internalised.14 The monitor should also examine whether employees follow policies in their day-to-day practices through consistent, risk-based testing. Testing can include manual reviews of high-risk transactions, such as customer due diligence for money laundering risk or third-party invoices for corruption risks, or automated testing that looks for known, high-risk patterns. The monitor should examine how the entity performs its own tests for compliance with its policies and whether the tests are ultimately effective in surfacing questionable behaviour.15 It is also important to evaluate the metrics used to assess the programme's effectiveness. For example, many companies count the number of people who have completed training as a measure of an education programme's success. Counting heads in an online training 'room' is a necessary component of ensuring that personnel are educated about risk, but it is hardly sufficient. In particular, it does not assess whether employees fully understand and follow the guidance provided by the trainings.16 Better metrics include whether the incidence of high-risk behaviour decreases after employees receive training, whether reporting on issues flagged in the training increases, and whether personnel more frequently seek advice from control functions about grey areas that the training highlighted. It is also important to evaluate whether the training has easy-to-follow examples and tests the employees on their comprehension of the applicable policies and procedures.
The monitor's assessment should also consider whether the maturity and sophistication of the compliance function correlates to the risks that the business generates. Profit-driven organisations by their very nature look for innovative ways to generate revenue and grow their business, as they should. Yet, new products, services and markets can introduce compliance risks that a start-up compliance function may be ill-equipped to mitigate. For example, a manufacturing company that exclusively operates in the United States, but then quickly expands its business globally through a series of acquisitions, may not have proper controls around corruption and export controls – common risks for global businesses.
Firms that experience rapid growth without a corresponding maturation of their compliance function may foment a culture that prizes growth above all else and could leave themselves vulnerable to employee misconduct.17 In some cases, particularly early on in an organisation's existence, legal personnel may be more attuned to accommodating growth of the business and may not be equipped to, or used to, serving as a check on how that business attains that growth. Thus, a monitor must assess what the legal and compliance functions look like, not just in their structure, but also in their stature. Is the compliance programme respected by other parts of the company as an independent and empowered function that is a partner in helping the business grow in a compliant manner, or is it viewed as an unnecessary hindrance (or, even worse, as an accomplice to help navigate around existing policies or laws)? Do the company's legal and compliance components have sufficient resources to identify and mitigate legal, compliance, reputational and other risks? Do compliance personnel have a spot at the decision-making table such that, even if the compliance chief does not report directly to the CEO or sit within executive management, his or her voice is nevertheless heard and respected at the highest levels of the organisation? A monitor can pull on different threads to reveal whether a compliance function commands respect, such as observing cross-functional meetings with compliance and business personnel, gathering an assessment from internal audit about compliance leadership, and reviewing how the CEO and his or her direct reports respond to compliance presentations.
Assessing the proposed remediation
A monitorship begins months, or even years, after the company first became aware of problems with its employees, compliance programme or corporate culture. Consequently, the company almost certainly will have already undertaken steps to remediate the previously identified issues. The monitor must consider and respect these initial remediation efforts and the organisation's proposals for addressing the misconduct going forward. Even when the monitor views such proposals as flawed and incomplete, the monitor must resist the temptation to reject them out of hand and impose on the monitored company its own perception of the 'best in class' compliance programme for the company. As long as the existing remediation plan provides a path to being effective, it is almost always better to work within that framework. A wholesale rejection of the company's efforts to date risks demoralising and undermining the stature of the existing compliance personnel, and setting an adversarial tone for the monitorship rather than one of partnership. Moreover, the hard work of convincing management to invest in the preexisting remedial plan has presumably already been accomplished, and it will be far easier to convince management of the utility of improving a preexisting programme than to make a resource-intensive exercise of starting from scratch.
Further, a snap judgement about the company's past remedial efforts also runs the risk of being wrong. What may have worked at another company in another monitorship might not fit this particular company's business and culture. Instead, it is important to understand why the company chose the remedial path it did, and leverage that work to improve the compliance programme so as to effect cultural change.
To assess remediation efforts in a meaningful way, a monitor should look both at what was accepted and implemented in response to the government's findings of misconduct, as well as at what was considered but rejected. This provides insight into management's thinking, and gives the monitor a starting point for remedial solutions that are likely to fit within the organisation. Are there ideas that were thrown out before the monitorship began that could actually be effective with some revision? Were they rejected because the business misperceived the extent of remediation necessary? Did business managers push back on proposed remedial measures, and if so, what was their rationale? The historical interplay between business management and compliance personnel over different avenues of remediation can provide significant insights into what motivates the business, and what kinds of compliance reforms will meet resistance or engender business support in the future.
Assessing the personnel
One of the most important and challenging aspects of the monitor's initial assessment of the company's culture is its evaluation of the people in the organisation – at a multitude of levels.
The monitor can play an important role in helping the company make sure all the direct participants in the misconduct are gone. Under the Federal Sentencing Guidelines, for example, companies must take reasonable efforts to remove personnel that the organisation knew (or should have known) were engaged in misconduct from positions of substantial authority.18 Identifying the principal wrongdoers is often straightforward and will typically have largely been completed by the government or internal investigation, but it is also just as important to understand and identify those who may have knowingly supported or enabled them. In a monitorship with a backward-looking assessment, the monitorship offers the associated benefit of alerting management to personnel whose historical behaviour may warrant further scrutiny. Management may decide those personnel need further training, better compliance incentives, or should be transferred within – or even out of – the organisation. Even in a monitorship focused only on the current control environment, the monitor, through interviews of key personnel, can help management identify personnel that do not buy in to cultural reform, minimise misconduct, erect roadblocks to change or are obstructive. In the first instance, the monitor should attempt to work with those individuals and their supervisors to develop support for reforms. But if those efforts prove unsuccessful, it is the monitor's obligation to share its concerns with more senior management, the CEO, the board of directors or even the appointing governmental authority if the monitor believes that the individual will be an impediment to the reforms necessary for the company to avoid recidivism.
The monitor also can serve an important role in helping a company identify and potentially empower 'change agents' that already exist within the company's ranks. Change agents are those within the organisation who have a demonstrated track record of fostering compliance (or at least pushing for reform) and the commitment to help lead the organisation in its cultural transformation.19 Change agents – who may be located within the business, legal, compliance or elsewhere – can be key to facilitating a broader transformation, because their visibility in the organisation conveys a persuasive message that sustainable change emanates from within the organisation, rather than from external forces. The monitor can help facilitate that process, identifying voices that may not have previously been heard, searching for obstacles that may have held them back and helping clear the way for change agents to lead the organisation down a more compliant path.
Implementation – fixing corporate culture
At the end of this initial assessment, if the monitor concludes that the culture in all or part of the organisation contributed to the misconduct, and that existing efforts to address it are unlikely to be sufficient, the monitor is then faced with the difficult task of working with management, the board of directors and potentially the appointing governmental body to change that culture.
In setting out to change a corporation's culture, it is important to avoid common pitfalls. Change management thought leader and Harvard Professor John Kotter, for example, has argued that most large-scale corporate culture transitions founder because they fail to generate a sense of urgency, to establish a powerful guiding coalition, to develop and communicate a vision, or to fully embed changes into the corporate culture.20 And Harvard Business School Dean Nitin Nohria and Professor Michael Beer contend that about 70 per cent of corporate change initiatives fail because, in their rush to change their organisations, managers immerse themselves in 'an alphabet soup of initiatives' – failing to recognise the real human toll of change efforts and, ironically, focusing on too many conflicting ideas about how to change a company rather than a single coherent strategy.21 In other words, efforts to change everything can often lead to a failure to change anything.
The existing scholarly literature, though helpful, will only get a company so far. An effective monitor will need to use all the tools in his or her toolkit to fix a broken culture. The most relevant are discussed below, including getting internal buy-in, leveraging and building upon pre-existing structures, and reinforcing consistent, repeated messaging.
Obtaining internal (and business) buy-in
A monitor is most effective in shepherding large-scale change when it has the buy-in of the key components of the organisation itself, particularly, as discussed below, from those running the business. To be sustained, cultural change must be driven or adopted from within, rather than imposed against the company's will by an outsider. When imposed from the outside, change tends to dissipate quickly after the monitorship has ended. Of course, internally driven change demands willing partners. This strategy works best where senior leadership – as demonstrated through the work done in the monitor's initial assessment or otherwise – is invested in effectuating change.
Perhaps the most important constituency to bring on board for cultural change are the personnel in the organisation's business units. Regardless of how good an organisation's legal and compliance functions are, the business is where the culture is shaped and lived in day-to-day decisions. As the ECI puts it, an effective compliance programme sets a compliance strategy that is central to the company's business strategy.22 A more compliant culture requires an organisation, in the first instance, to commit to ethical and compliant behaviour rooted in policies, laws and ethical principles. Achieving this culture demands a commitment to specific reforms. Business personnel need to embrace the overall goal of compliant growth and sign on to the specific reforms that will aid the organisation in reaching that objective, with the understanding that, in the long run, the company will be more successful in the marketplace if it is regarded by its customers, regulators and governmental investigators as a compliant company that conducts itself in an ethical manner. In other words, revenues will increase as the company regains the trust it may have lost with its customers as a result of the misconduct that led to the monitorship. And the bottom line will improve as costs related to investigating misconduct, responding to regulators and settling with the government drop precipitously, as well as through increased efficiencies that often accompany the alignment of incentives between employees and management brought about by a more compliant culture. Getting buy-in from managers and employees throughout the chain of command within the business helps to make sure that the message that compliance is important gets internalised, and will inspire employees to invest in the company's efforts to change.
Although a monitor may have the mandate to impose reforms on business units, the goal of sustained cultural change is better served if the monitor instead can persuade the business of its benefits. Ideally, this would occur through direct interactions with senior management resulting in buy-in for the monitor's recommendations. The monitor must be an advocate and build its case to business management that a problem exists, and if left unaddressed, the problem will cost more in the end than the proposed reform, through additional investigations and fines, increased reputational costs, inefficiencies or distraction of management. But if management refuses and unreasonably digs in its heels, the monitor should leverage the power of the company's board of directors or the governmental authority that appointed the monitor to get management to see the light. The monitor can inform the board or the governmental authority of management's intransigence, either informally or formally through the monitor's reports. If these efforts are unsuccessful, the monitor can issue its recommendations, use its remaining time to report on implementation, and then rely on the continued vigilance of the board of directors and the appointing authority to give the reforms time to fully take root and hopefully improve the company's culture alongside them. But this result should be a worst-case scenario, as it has the least chance of effecting cultural change that will best prevent recidivism.
As discussed above, a successful monitor will also have (or develop) a keen understanding of the entity's business to understand what drives its profitability and growth, and use that understanding to convince the business that a more compliant business is not incompatible with a growing and more profitable business. To be effective, this is where a monitor must demonstrate its ability to add significant value – as an outsider with independent authority and freedom from the organisational hierarchy who can marry the twin goals of compliance and growth. Demonstrating a keen interest in the business and a desire to find a path to compliant growth also will allow the monitor to gain the necessary credibility with the business so that it respects the monitor's recommendations as necessary and practical. The alternative, dictating reforms without regard to the underlying business imperatives, will inevitably frustrate the process and diminish the monitor's credibility, and therefore its ability to help achieve sustainable reform.23 A monitor also should be prepared for the possibility that certain business practices are simply not compatible with compliance policies and the law. For example, business personnel often decry restrictions on what they can give to government officials, claiming that such practices are the only way to do business in certain countries. In those moments, the monitor needs to stand firm. Although the first imperative is to draw on its own experiences with other monitored entities or clients to help the company find a compliant path forward, if the business genuinely cannot survive in a certain market without breaking the law, the company has to be prepared to exit that market.
Getting business unit buy-in may also require marshalling historical facts to provide the needed wake-up call to business management. Where a monitorship includes a historical component, the monitor's investigation can expose the facts and scope of misconduct to business management who may have previously lacked awareness or turned a blind eye. Where managers do not know the full facts of what occurred previously, they may be less inclined to make the decisions necessary to achieve cultural change. Although a company may initially view the requirement of a backwards-looking investigation as a costly, punitive measure, if harnessed effectively by a monitor, it can be a critical tool for motivating cultural change. Specifically, it may demonstrate the extent to which the misconduct was driven by historical cultural issues that may still be present despite the post-investigation remedial conduct engaged in by the company. Put simply, if the company did not understand the extent of the problem, it cannot be expected to take all the necessary steps to fix it. Where a monitorship has no historical component, a monitor should look to the results of internal investigations, regulatory investigations, and its initial assessments, and use those facts to frame the need for change as necessary.
Another key way to achieve internal buy-in is to encourage (and even require) the company, and in particular its business components, to play a role in finding the solutions to problems identified by the monitor or the company itself. A company is much more likely to buy in to a reform, particularly one that is potentially transformative, that comes from within as opposed to one that is forced upon it by an outside party. In addition to the benefit of the business 'owning' the solution, it can apply its superior knowledge and expertise to craft sustainable reforms that are consistent with its business objectives. Soliciting ideas from the business also will help the company view the monitor not as an enemy, but as a partner to help it follow a better path – which is in line with the goal of a monitorship as remedial, rather than punitive.24
Leverage and build upon pre-existing structures
As discussed above, one of the greatest impacts a monitor can have is empowering voices already within the organisation and removing obstacles that stand in their way. This applies not only to people, but also to ideas.
A company rarely needs to start entirely from scratch. There are typically existing processes or procedures already in place that could be more effectively utilised to enhance compliance or communicate new compliance values. The monitor plays the critical part of identifying the processes or procedures worth keeping, and helping the company augment and deploy them to improve compliance. And the best ideas often originate from company personnel, who are embedded in the business and have a keen sense for what processes are most likely to succeed. Consider the following example: business managers at a company were falling short on compliance and were not meeting senior management's expectations that they would identify and address certain compliance risks among their subordinates. After discussing its finding with senior management, the monitor declined the invitation to propose its own solution and instead encouraged the company to develop its own path forward. With the guidance of the monitor, business managers devised an innovative solution that went well beyond the monitor's mandate, and therefore beyond any solution the monitor could have recommended. As a result, the company created a whole new system of executive accountability that grew organically from its own business leadership, and was embraced by their teams as a positive change.
Of course, sometimes it will be up to the monitor to introduce its own solutions to problems when the company is unable to forge its own path forward. But even in this situation, the monitor should bring the company into the process of shaping the proposed reform, by sharing draft recommendations, soliciting internal input on how to improve them, and then working with management to find the best ways to implement the recommendations.
Reinforce consistent (and repeated) messaging
To be successful, cultural change requires a vision that employees can rally behind and that management can point to as the rationale for decisions being made that impact employees (sometimes negatively). Inculcating a compliant culture requires reinforcing this vision through regular messaging because, as compliance experts Nitish Singh and Thomas J Bussen note in their practitioners' guide for compliance management, employees are more likely to behave more honestly and responsibly if senior managers express their vision of an ethical corporate culture 'loudly and consistently'.25
An effective monitor should encourage and help a company use every vehicle possible to communicate the company's vision for a compliant culture and its plan to achieve it. A company that is serious about change, and instilling and maintaining a culture of compliance, should:
- repeat the core messages behind the organisation's cultural shift and new vision at town halls, management presentations and public discussions;
- make compliance a core part of the company's code of conduct, which plays a key role in setting the appropriate tone and is one of the most visible manifestations of the values and culture of an organisation, both to employees and the outside world;26
- ensure messaging is consistent, with no deviation from the message that compliance is important and a part of the core culture; any deviations should be immediately addressed. If necessary, managers who refuse to support the message, or who undermine it, should be considered for disciplinary measures or even termination. For example, a company should pay careful attention to managers who undermine compliance personnel in team meetings, downplay the importance of (or ignore) compliance risks in town halls, or excuse compliance breaches of their top-performing revenue generators; and
- teach new behaviour by example, set the tone from the top, and reinforce that tone down the management ranks.
As the ECI's Ethics & Compliance Handbook notes, '[s]etting an appropriate tone for ongoing discussions about ethics and compliance is one of the most important roles an organization's board and senior managers can play.'27 That means senior managers, as well as lower-level managers, must not only talk the talk, they must walk the walk.28 A manager who walks the walk will often confront tough decisions, like terminating a top-performing salesperson who regularly circumvents the rules, even if that decision causes a short-term hit to the manager's own financial performance.
Set the right tone from the middle
Middle management serves as both the emissaries of top management, and the supervisors of those who are most responsible for carrying out and adhering to the company's policies. Their involvement is critical to the success of any effort to change the corporate culture. Most employees, especially at larger organisations, have little direct contact with senior management, and so will take their strongest cues from those managers who supervise and interact with them regularly.
An effective monitor can help reinforce a compliance-driven culture in middle management. It can push for and provide guidance on rewriting a company's code of conduct, identify through monitoring and testing where messaging has deviated from the expectation of compliance, push senior managers to walk the walk themselves by consistently messaging the importance of compliance and offering incentives that reward it, and use its reporting authority to credit middle managers who are setting the right tone for their teams. The monitor also plays a crucial role in helping an organisation devise strategies to conduct its own monitoring and testing of how it is measuring up against its improved compliance framework. With a robust testing programme in place, an organisation can better detect those employees who need additional training or guidance, as well as those who simply do not want to change their way of doing business.
Evaluation and incentives
A monitor should also look for ways to make sure employees are being evaluated, measured, and compensated in a way that promotes compliance. Employees will look to the criteria against which they are measured, and the ways those criteria impact their compensation and promotion, as key signals regarding how much attention they should pay to compliance.
Recent enforcement actions underscore the cost of getting incentives and compensation wrong. For example, when federal regulators fined Wells Fargo $185 million in 2016 after finding that employees had secretly created millions of unauthorised bank and credit card accounts without customers' knowledge, the Consumer Financial Protection Bureau pointed to Wells Fargo's sales goals and incentives, including an incentive-based compensation programme, as influencing employees to engage in improper sales practices.29 Employees described a toxic sales culture with impossibly high targets, where employees who did not meet daily sales goals were chastised and demeaned in front of peers,30 or threatened with termination.31 Although, fortunately, situations this extreme are uncommon, a monitor must be sensitised to a culture that incentivises misconduct and must work with the company to realign such an incentive system.
Importantly, when it comes to determining business employees' and their managers' compensation, the monitor should look to see whether it is based only on financial performance, or if it also incorporates compliance metrics.32 For example, if business personnel shoulder responsibility for conducting due diligence on third-party agents, are they also evaluated on the quality of the due diligence they perform? Does the company specifically measure how well business personnel execute that compliance responsibility and does that measurement factor into compensation decisions? Or are these personnel only measured on how much business they generate? To be sure, there is no one perfect metric to capture compliance-related performance, and any such determination is likely to be conducted on a company-by-company basis. But a monitor can help a company identify compliance metrics that are appropriate to its business, capture both positive and negative performance, and then feed into compensation decisions in a meaningful way.
Ultimately, employee incentives should be aligned to promote compliance (and deter non-compliance). A successful change effort will use both 'carrots' (in the form of positive incentives, including financial incentives) and 'sticks' (in the form of disciplinary measures) to instil and repeat the message of a compliant culture. A company's compensation system should be structured to avoid incentivising employees to misbehave and instead both penalise bad behaviour and reward good behaviour. The rewards and penalties built into the system should be aligned with the message from management about the new culture of compliance.
The question of whether to reward ethical conduct – or simply to expect it as the norm – is one that has generated controversy as of late. Publicising when an employee makes choices in line with the organisation's compliance goals and rewarding those who are exceeding the performance of their peers sends a powerful signal of how to be successful at that company, not to mention providing real-world guidance on operationalising the company's stated values.33 As one example, at a monitor's suggestion, a business division that sought to improve its culture of compliance devised metrics to evaluate personnel on compliance-related topics, and then used those metrics to award increased bonuses to employees who demonstrated top compliance performance. Within one year, the division experienced what its leadership described as a 'sea change' in attitudes about compliance.
A final tool to effect cultural change is through negative incentives and, in particular, to ensure that the company's disciplinary process is in line with the intended message of the importance of compliance. The monitor should ensure that employees who engage in misconduct that is in any way similar to the misconduct that led to the imposition of the monitorship are treated with the appropriate level of severity. Nothing will undermine management's stated goal for change more than seeing recidivist employees receiving a slap on the wrist for the same type of conduct that was the impetus for reform. Further, employees should be consistently disciplined for misconduct. If rainmakers or star business generators receive a 'pass' or are disciplined inconsistently (or not at all) because they are valuable to the business, this can undermine all other efforts to improve the company's culture. Such a practice can breed resentment and resistance, and obscure the message that compliance is important for all in the company. As the ECI observed, '[e]mployees are careful observers of how their employers impose discipline.'34 Where the monitor sees inconsistency in the disciplinary process, this should be highlighted for the company and a revamp of the way discipline is handled can be recommended. In addition to sending the right cultural message, the consistent imposition of discipline and rewards is an important way to demonstrate that a compliance programme is more than just a 'paper' one.35
Many of the assessments, processes and tools described in this chapter are hallmarks of any effort to revamp a corporation's culture. A monitor, however, occupies a unique middle-ground space – not an insider, but also not the government – that allows it to press on different levers and apply external pressure to an organisation that might not otherwise undergo necessary cultural change.
One of the monitor's most prized tools in helping to effect cultural change is the power of reporting. A monitor often enjoys a high level of credibility with a company's board of directors and the government authority that appointed the monitor, and as a result, a monitor's words are amplified. For management, a report criticising its efforts to reform its culture as lacking can lead to highly negative consequences, including to compensation or continued employment. Similarly, a report that gives credit where credit is due can bolster certain managers in the eyes of the board of directors and the company's regulators. The monitor must use its credibility and its power of reporting to incentivise change and give management every chance to earn a positive report, while never wavering from its duty to truthfully and accurately provide information on the company's challenges and failures.
Another important characteristic of monitorships in achieving cultural change is the monitor's experience and credibility as an outside expert. A monitor is not invested in how the company has always done things, and is not a part of the existing hierarchy. As an independent third party, a monitor can marshal historical evidence to shine light on the problems that led to imposition of the monitorship in the first place, and create the requisite sense of urgency and a wake-up call for change. Because of this, an effective monitor can also empower individuals and ideas that have been ignored in the organisation before. A monitor is also able to facilitate change at all levels, by virtue of communication and interaction with everyone from senior management to rank-and-file employees. This broad perspective allows a monitor to see the full picture, putting it in a uniquely strong position to help a company chart a path with full awareness of unintended consequences.
Ultimately, the task before a monitor in effecting cultural change is to help the company develop the tools of a compliant culture, and then teach the company how to use them so that the company itself steps into the monitor's shoes after the monitorship ends. Ideally, by the conclusion of the monitorship, the change agents within management should be empowered and acting on the monitor's invitation to proactively identify compliance risks, and proposing and implementing solutions to address them. By the time the monitor leaves, the company should have recognised that a compliant culture is also good for the bottom line and have an unwavering commitment to continuing along the path it set down with the monitor, so that cultural change will endure long after the monitorship has concluded.
1 Neil M Barofsky, Matthew D Cipolla and Erin R Schrantz are partners at Jenner & Block LLP. The authors would like to thank partner Jessica Ring Amunson for her important contributions to this chapter, and associate Jessica A Martinez, who was instrumental in its research and drafting.
2 Richard M Steinberg, Governance, Risk Management and Compliance (2011), at 6 (quoting Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management – Integrated Framework (2004)).
3 Alison Taylor, 'The Five Levels of Ethical Culture' (working paper, BSR, San Francisco, 2017), at 7 (quoting Edgar H Schein, Organizational Culture and Leadership (2004), at 8).
4 e.g., US Dep't of Justice Criminal Division, Fraud Section, Evaluation of Corporate Compliance Programs (2017), https://www.justice.gov/criminal-fraud/page/file/937501/download; US Dep't of Justice Criminal Division and US Securities and Exchange Commission Enforcement Division, A Resources Guide to the US Foreign Corrupt Practices Act (2015), https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf.
5 Ethics & Compliance Initiative (formerly Ethics and Compliance Officer Association Foundation), The Ethics and Compliance Handbook: A Practical Guide from Leading Organizations (2008), at 39 (ECOA/ECI Handbook).
6 US Sentencing Guidelines Manual Section 8B2.1 (US Sentencing Comm'n 2016).
7 US Dep't of Justice, Justice Manual Section 9-28.800 (2018).
8 US Dep't of Justice Criminal Division, Fraud Section, 'Evaluation of Corporate Compliance Programs', 2017, https://www.justice.gov/criminal-fraud/page/file/937501/download.
9 OECD, 'Good Practice Guidance on Internal Controls, Ethics, and Compliance', 18 February 2010, https://www.oecd.org/daf/anti-bribery/44884389.pdf.
10 OECD, 'Anti-Corruption Ethics and Compliance Handbook for Business', 2013, http://www.oecd.org/corruption/Anti-CorruptionEthicsComplianceHandbook.pdf.
11 International Organization of Standards (ISO), 19600 Compliance Management Systems guidelines, https://www.iso.org/obp/ui/#iso:std:iso:19600:ed-1:v1:en:edB1:v1.
12 e.g., ECOA/ECI Handbook.
13 Hui Chen and Eugene Soltes, 'Why Compliance Programs Fail – and How to Fix Them,' Harvard Business Review (March–April 2018); Geoffrey Miller, 'The Compliance Function: An Overview' (2014); David Hess, 'Corporate Culture and Corporate Compliance Programs: Towards an Understanding of an Organizational Ethical Infrastructure' (2015).
14 Nitish Singh and Thomas J Bussen, Compliance Management: A How-to Guide for Executives, Lawyers, and Other Compliance Professionals (2015), at 117.
15 Deloitte, 'Testing and monitoring: The fifth ingredient in a world-class ethics and compliance program', https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-testing-and-monitoring-the-
fifth-ingredient.pdf; US Dep't of Justice Criminal Division and US Securities and Exchange Commission Enforcement Division, 'A Resources Guide to the U.S. Foreign Corrupt Practices Act' (2015), https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf.
16 See Hui Chen and Eugene Soltes, 'Why Compliance Programs Fail – and How to Fix Them,' Harvard Business Review (March–April 2018). In a classic (and often-cited) example of how incorrect or incomplete metrics can hide a paper programme, when the DOJ brought criminal charges against a Morgan Stanley employee in 2012 for his role in a conspiracy to evade internal accounting controls required by the Foreign Corrupt Practices Act, prosecutors noted that Morgan Stanley frequently trained employees on internal policies, the FCPA, and other anti-corruptions law, and the indicted employee himself had been trained on the FCPA seven times and received at least 35 reminders to comply with the FCPA. See US Dep't of Justice, 'Former Morgan Stanley Managing Director Pleads Guilty for Role in Evading Internal Controls Required by FCPA', 25 April 2012, https://www.justice.gov/opa/pr/former-morgan-stanley-managing-director-pleads-guilty-role-evading-
internal-controls-required; Singh and Bussen, supra, at 6-7.
17 Alison Taylor, 'What Do Corrupt Firms Have in Common?', Center for the Advancement of Public Integrity, Issue Brief, April 2016.
18 US Sentencing Guidelines Manual Section 8B2.1 (US Sentencing Comm'n 2016).
19 John P Kotter, 'Leading Change: Why Transformation Efforts Fail', Harvard Business Review (2007).
21 Michael Beer and Nitin Nohria, 'Cracking the Code of Change,' Harvard Business Review (May 2000).
22 Thomas R Fox, 'Measuring the Impact of Ethics and Compliance Programs,' FCPA Compliance Report, 27 July 2018, http://fcpacompliancereport.com/2018/07/measuring-the-impact-of-
ethics-and-compliance-programs (discussing Ethics & Compliance Initiative, 'Measuring the Impact of Ethics and Compliance Programs' (2018)).
23 See Bart M Schwartz, 'Getting Started as a Monitor', 18 Prac. Litig. 15, 18 (2007).
24 A view recently expressed by Southern District of New York US Attorney Geoffrey Berman in his keynote speech on monitorships at a 2018 NYU Program on Corporate Compliance and Enforcement conference. See US Att'y Geoffrey Berman, Keynote Speech on Monitorships - NYU Program on Corporate Compliance and Enforcement, 12 October 2018, https://wp.nyu.edu/compliance_enforcement/2018/10/12/u-s-attorney-geoffrey-berman-keynote-speech-on-monitorships/.
25 Singh & Bussen, supra, at 79.
26 ECOA/ECI Handbook at 55; Singh & Bussen, supra, at 63-64.
27 ECOA/ECI Handbook at 43.
28 Singh & Bussen, supra, at 78.
29 Consumer Financial Protection Bureau, In the Matter of Wells Fargo Bank, N.A., Consent Order (8 September 2016), https://files.consumerfinance.gov/f/documents/092016_cfpb_WFBconsentorder.pdf.
30 E Scott Reckard, 'Wells Fargo's pressure cooker sales culture comes at a cost,' Los Angeles Times, 21 December 2013, https://www.latimes.com/business/la-fi-wells-fargo-sale-pressure-20131222-story.html.
31 Matt Levine, 'Wells Fargo Opened a Couple Million Fake Accounts,' Bloomberg, 9 September 2016, https://www.bloomberg.com/opinion/articles/2016-09-09/wells-fargo-opened-a-couple-million-fake-accounts; People of the State of California v. Wells Fargo & Company, et al., No. BC580778, Compl. (4 May 2015), available at https://assets.bwbx.io/documents/users/iqjWHBFdfxIU/rPxi_pVaKx2Y/v0.
32 Singh & Bussen, supra, at 79.
33 ECOA/ECI Handbook at 112.
34 ECOA/ECI Handbook at 114.
35 ECOA/ECI Handbook at 108.