Tips for conducting compliance investigations

The task of a compliance officer is not to “set it and forget it.” Apart from planning and advising on risk management strategies, and monitoring business implementation of the attendant policies and procedures, compliance professionals must remain vigilant about the potential for violations. Internal compliance violations can run the causal gamut – they could be because of internal controls failures, unwitting omissions due to lack of awareness, or outright misconduct and malfeasance.

Compliance officers should approach an investigation into a compliance exception thoughtfully and with careful preparation. If the planning for or administration of the investigation is flawed from the beginning then the investigation results will not be reliable. In many fields, such as scientific research, planning investigation tactics and strategy is a discipline all of its own, demanding special expertise in statistical methodology standards.

For purposes of the internal investigations of compliance officers, a common-sense approach, focused on fairness and transparency, can take the place of technical expertise in conducting informal internal investigations that will still generate reliable and meaningful results. Compliance professionals should keep the following fundamental themes in mind when designing an investigation effort:

  • Reject foregone conclusions: Compliance investigation inquiries can be sensitive and intimidating. Most people do not want to do the wrong thing and will be worried or even frightened by the possibility that they have broken rules or regulations. They will fear that their jobs are at risk or worry about the reputation of the company due to the misconduct. Therefore, take the investigation seriously, even if its scope is limited or it’s routine. Don’t decide the outcome before the information is gathered. Investigations should be motivated by intellectual curiosity, in the case of annual or planned investigations, or, in the case of ad-hoc or event-driven investigations, an objective desire to protect and promote integrity, which knows no master.
  • Work carefully: Sloppiness and poor preparation will doom an investigation from the beginning. Compliance professionals should work carefully and check their work as they go along. Simple errors such as directing queries to the wrong recipients or asking for information that is out of scope of the investigation can cause a terrible impression with stakeholders and disrupt the efforts of the investigation.   Communication is key, and information communicated to all parties throughout the investigation should be accurate, clear, and appropriate at all times.
  • Give support, not interference: Compliance often collaborates with other functions such as HR, Legal, and Risk; this collaboration should be encouraged, not complicated or avoided. In planning investigation strategy, work together with partners and stakeholders whenever possible (legal privilege and confidentiality, where it applies, must of course always be respected). Sharing information helps to make conclusions stronger and to avoid inefficient duplication of efforts.
  • Follow through with enforcement when misconduct is evidenced: Investigations are toothless when the results are just put on a shelf and forgotten. Enforcement action must come next, and in every outcome, there is appropriate follow-up. In instances where misconduct is discovered, whether it is from negligence or intentional wrongdoing, disciplinary action should be taken with concrete consequences. Substantive structural changes should be made also the risk control framework to seek to prevent or identify earlier the non-compliant behaviour whenever possible. Punishing the wrongdoer is not enough; addressing the root causes of the wrong-doing has to happen too.
  • Feed-forward when no malpractice is discovered: Not every investigation will be an open and shut case where there are good people and bad people and everything wraps up neatly. It may be that the investigation yields no evidence that anything material happened. It’s also possible that the investigation would show some unrelated deficiencies, such as in communication strategies or employee awareness. Finally, the investigation could produce inadvertent lessons for the compliance officer him or herself to take back to a future risk assessment and planning session. Whatever these conclusions are, don’t discard them just because they don’t lead to a punitive action. Feed them forward into risk controls improvements and future compliance program efforts.

Compliance officers who consider the above suggestions in planning their own investigation strategy will be focused on obtaining neutral, credible information. They will communicate clearly and engage stakeholders supportively. Enforcement actions stemming from the investigation efforts will be pro-active and productive. With these approaches, compliance officers can establish credibility and effectiveness in conducting internal investigations.

Key compliance culture values for promoting employee integrity

Employee integrity is the cornerstone value for establishing organizational integrity, and therefore for the success of any compliance program. As fundamental as employee integrity is, it is also complex, elusive, and affected by a huge array of factors and influences. Perceptions and biases can defeat individual intentions for ethical behavior. External forces on the decision-making process and the impact of management in a complicated organizational structure and business world can defeat incentives for integrity and honesty.

What can a compliance program do to address the need for employee integrity in a world which presents so many obstacles and hindrances to developing and maintaining this trait? Compliance professionals should be the organizational standard bearers for encouraging good people to do good things and limiting access of the occasional bad people to do bad things. This message can be very simple and should focus on reinforcing positive perceptions of corporate values and leadership expectations so that employees aspire to model their own character within this.

  • Openness: Transparency and honest, active communication are crucial to the success of a compliance program. Employees must see that openness of communication and transparent reporting and sharing are highly valued. Open communication is directly linked to reduction of reputational risk and perceptions of greater honesty. Establishing a culture where employees feel it is encouraged or expected to speak up and speak out requires management to be meaningfully open, accessible, and relatable. In an environment where employees feel that all behavior and performance can be discussed openly, they will also be aware that it will all be noticed, and therefore will feel positive pressure to meet best expectations for integrity.
  • Clarity: Clarity of expectations and perceptions is essential for a culture of integrity. As with all objectives for compliance culture at an organization, norms and values must be clear and consistent across all employee populations. Communicating different or confusing messages, or giving information that impacts everyone to only some and leaving others out to hear it indirectly, is disastrous for imbedding ethical traits in an organization. Clarity promotes understanding and discussion, both of which are necessary for employees to take up the cultural objectives of the organization as their own.
  • Leadership: Tone at the top is just the first step. Leadership should be encouraged as a professional competency at all levels in the organizations, so that advocacy for the compliance culture can take root everywhere. Employees need to see leaders speaking up about the importance of integrity, but they individually also need to feel they are in the position to speak up themselves, and will be looked upon as vested with responsibility for their own integrity and choices in everyday ethical dilemmas.
  • Trust: Trust is the most simple factor for encouraging integrity in organizations, and indeed in all interactions and relationships, and it is also one of the most difficult and fraught qualities to meaningfully establish and maintain. Trust is constantly threatened and questioned. It cannot be given automatically and still have meaning, but it must be given confidently and with expectation that it will be received in return. Investments in mutual trust cannot be forced or demanded. The pain of having colleagues or managers who are not trustworthy can cause deep damage in teams and organizations and impede individual development. The only solution to this is to see trust as a reward and an ongoing evaluation, and to embrace frank and open dialogs which can help to resolve prior mistrust and discourage future violations.
  • Engagement: Engagement discussions usually focus on employees, but the quest for achieving it starts with management. Employees should see that management follows up, takes integrity seriously by individually espousing all the values, responds visibly to problems and complaints, and confronts issues boldly and confidently. Management engagement in the compliance culture should embrace professional skepticism and pursue public accountability. When employees see this, then they are empowered in turn to engage with their direct managers, peers, and direct reports to have discussions about integrity matters and to demonstrate all the traits that support ethical decision-making.

Modelling the key values of a compliance culture to create strong organizational drivers for integrity should be the focus of the conduct objectives of every compliance program. The fundamental message should be that performance and behavior linked to demonstrating integrity will be encouraged and appreciated.

Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible

Margin Call and unethical crisis management in the financial services industry

The 2011 movie Margin Call focuses on the conduct of the employees of an investment bank in disaster mode. The movie takes place in the prelude to the 2008 global financial crisis. During a reduction in workforce, an analyst reveals that the firm’s predictive models are showing that its portfolio of mortgage-backed securities will soon experience losses which will exceed the highly-leveraged value of the firm and lead to its bankruptcy.

The rest of the movie centers on the behavior of the firm’s employees and senior management and the choices they make in handling this discovery. Unsurprisingly, many of them model unethical decision-making and provide cautionary examples from which governance and compliance structures can take advice for what to prevent.

  • Key man dependency and lack of transparency – The entire movie revolves around the too-late discovery of the projected losses by an analyst. His boss was working on a project to try to figure out what was wrong with the firm’s models, but he was laid off before he finished his analysis. This scenario suggests the conclusion that if the boss had not been working alone or had been sharing his work in progress sufficiently, then the problems could have been discovered earlier and the entire dilemma could have been avoided or at least mitigated. An insecure overdependence on the work of one vulnerable man and a lack of honest disclosure led to this firm’s undoing from the very start.

  • Corporate code of ethics and culture drivers – A firm’s compliance program sets a tone and provides a rules-based structure for employees. Ultimately each individual still has the freedom to make unethical or inappropriate decision for his or herself, but the choice architecture provided by a firm’s governance controls matters for setting expectations. Corporate enablement of immoral or ethical behavior starts at its simplest practices, such as reimbursement of expenses, especially in a business where the financial upside for compensation is immense. In a firm where an anything goes culture reigns, the downside of this culture is also immense.

  • Tone at the top and unethical executive decision-making – In a series of overnight meetings, the firm’s senior management decides to hold a “fire sale” and dump their toxic assets to limit their own exposure by dispersing the risk through the markets and ripping off their counterparty broker-dealers. They also know that their customers will quickly realize what they are doing and be disenchanted by the deceptive sale of only their troubled mortgage-backed securities holdings. Senior management justifies and solidifies their choice to destabilize the entire market and subject counterparties and clients to losses to avoid their own bankruptcy.

  • Lack of business sustainability due to dishonest practices – By selling the toxic mortgage-backed securities to the counterparty firms which should be their trusted partners, the traders end their careers, as no one will do business with them again in the future. They are compensated handsomely with promised bonus pay-outs, but there is another large reduction in workforce once their dirty work is done. The principals of the firm plan to profit from the coming financial crisis, but their business as it was, as an investment bank, is over.

  • “It’s just money” – moral relativism as justification of unethical behavior – The CEO and chairman of the board takes an apparent long view on the actions of his firm, seeing their choice to deceptively unload toxic assets on the market in order to stem their own losses by kicking off systemic disorder, as a mere reaction. “It’s just money” is a wilful disconnection from the human and integrity costs; believing that the entire economic system is a historic construct makes wrongdoing within it blameless. However, this is not reality; financial crises have real impacts and victims, and money is not just “pieces of paper with pictures on it.”

At every turn, Margin Call exemplifies bad corporate conduct, insufficient compliance and governance controls, and unethical decision-making. This movie provides a primer as to the devolving organizational accountability that set the stage for the 2008 financial crisis.

Enron and the mood in the middle

The Enron scandal is one of the most famous examples of modern corporate fraud and corruption. The publicity of the fraud, subsequent bankruptcy of the firm, trial of principals Kenneth Lay and Jeffrey Skilling, and the cascading negative impact on employees and shareholders form a notorious history of corporate malfeasance and misleading investors.

Enron was an energy company that dominated its market in the 1980s and 1990s. Originally involved in the distribution of electricity and natural gas and creation of the related infrastructure, through a series of mergers and acquisitions and expansions of corporate strategy, Enron extended its business into commodities trading, retail energy, water distribution, and data management. Enron was well-known for its commercial success, immense corporate wealth, and aggressive marketing and promotion strategies. Enron was also a fraud, with many of its purported assets overestimated in value or non-existent, and its immense liabilities and losses hidden in other entities so that its financial statements appeared much more positive than they ever actually were.

More has been written about the pervasively fraudulent practices that led to Enron scandal, and the individuals and motivations behind them, than probably any other corporate bankruptcy in history. Many of the principles of, and the unfortunate justifications for, a robust compliance and ethics program can be illustrated by this case. One of the more interesting points of analysis involves the conduct of employees during the fraud and their reaction to signs they may have noticed but not reported, followed by the eventual widespread discovery of the scandal.

Professional skepticism is undervalued in many corporate cultures. Enron employees were so enchanted by the aspirational allure that the company offered that they too often became blind to risks and unethical behavior, and missed or refused the opportunity to get out or to report the fraud.   The focus in discussions over corporate governance and compliance programs often focuses on “tone at the top” (senior management and supervisory boards) or the impact corporate collapses have on shareholders and the public – but a more important question is what about these employees who were there during the fraud, may have noticed signs, did not or could not do anything, and after are left with nothing but a sense of betrayal? The question of how to encourage these employees to mitigate risks or report wrongdoing, even in the face of personal loss or certain reprisals, challenges and inspires compliance professionals to strive for positive change.

This tale of corporate non-governance, as it was, demonstrates that putting compliance and ethics on the back burner in favor of commercial and competitive pursuits can have a far-reaching disastrous impact. The intersection of business and compliance will always be a tense spot, underscored by commercial pressures, cultural differences, and never-ending change. However, a closer, more understanding relationship between the two disciplines is the best path to modelling the employee conduct that is necessary for longevity and sustainability of success.

For compelling anecdotes from a personnel perspective of the Enron scandal, this 2002 article by Charles Fishman is a good read.