Misconduct by employees on a scale that leads to the imposition of a monitorship will often find its roots in a flawed or dysfunctional corporate culture. The best gauge of a monitor’s success will therefore often be its ability to help the company successfully reform its culture and by doing so avoid the perils of recidivism. This is a particularly difficult challenge, which requires an in-depth understanding of the company’s formal articulation of its approach to compliance as well as how it executes those ideals. In other words, while management and compliance programmes set official policies regarding what should happen at a company, ‘[c]orporate culture determines what actually happens, and which rules are obeyed, bent, or ignored’. Further, because the failure of a corporate culture to embrace compliance may be what leads to the imposition of a monitor, the yardstick for successful remediation is often the degree to which the culture of the monitored entity has improved since the original misconduct. The role of a monitor in effecting that type of cultural change is, in many ways, the unifying theme of this guide.
To be sure, when a corporation engages in unlawful behaviour and finds itself on the receiving end of a monitorship, the misconduct is sometimes committed by only a few bad apples. In other cases, the tree – or the whole orchard – may be rotten, in which case a few revised policies and revamped compliance processes will not be enough, and planting the seeds of cultural change becomes necessary. Although cultural change is a daunting task, with a monitor’s help and guidance, not only can prosecutors and regulators be assured that the company is meeting its compliance responsibilities, the company itself can experience transformational change that leads to sustained, profitable and compliant growth.
Of course, fixing a broken culture is no easy task. A litany of business school case studies, scholarly articles, consultant engagements and criminal enforcement actions attest to the challenge. Edgar H Schein, who pioneered the concept of organisational culture, argued that culture is the most difficult aspect of organisational life to alter because ‘it points us to phenomena that are below the surface, that are powerful in their impact but invisible, and to a considerable degree unconscious’. Despite these challenges, a monitor using the techniques described in this chapter is well suited to guide organisations through large-scale cultural change. Assuming a willingness on the part of senior management to address the cultural issues that led to the appointment of the monitor, a monitor can partner with an organisation to address cultural change while still maintaining the ability to independently hold the organisation to account. This is because a monitor brings an external perspective to the table, one that is not invested in how things were done in the past, and is able both to see the full picture and to illuminate problems that need fixing.
As noted in several of the chapters in this guide, regardless of whether a government enforcement authority views the imposition of a monitor as a form of deterrence to other organisations that may be contemplating similar types of misconduct, the underlying goal of the monitor should never be to effect additional punishment for the company’s wrongdoing but rather to guide the organisation along the path to sustainable change, and to help it avoid repeating its previous mistakes long after the monitor is gone. As a result, a successful monitorship cannot be fully determined on the eve of its termination; rather, we must look at where the organisation is five or 10 years later. To ensure that the organisation is on the road of compliance rather than recidivism, a monitor should take a proactive role in partnering with management to improve or transform the organisation’s culture of compliance.
Not every instance of corporate wrongdoing leads to a monitorship that will require efforts to reform a company’s culture. In some cases, the underlying causes of the misconduct that led to the imposition of the monitorship are not systemic, and in others the cultural infirmities that led to the misconduct have been addressed by pre-settlement remediation efforts. In these instances, a monitor enters a situation in which the few bad actors have already been removed, and while the organisation’s policies and procedures may need to be further enhanced, its overall culture is relatively healthy. Thus, at the outset of the monitorship, it is vital to assess the current state of the company’s culture. The monitor should examine the tone that is set not just at the top but also in the middle of the organisation. The monitor must also look at the existing compliance framework and the organisation’s proposed strategies to remediate any misconduct. The monitor should also evaluate the employees – both those who caused (or ignored) the misconduct and those who tried to rein it in. In addition to determining whether cultural change is necessary, this assessment helps to pinpoint which aspects of the company’s culture potentially need to be addressed.
With that assessment complete, a monitor can then go about the difficult task of counselling the organisation through cultural change. In doing so, a successful monitor must develop a deep understanding of the company’s business and financial objectives. Obviously, an organisation will not embrace cultural change if that means abandoning all hope of profits and growth. To the extent that some in the organisation complain that remediating the issues identified by the monitor will bankrupt the business, a monitor who understands the company’s business will be best equipped to parry these charges, or help the company to find suitable alternatives. A successful monitor can then obtain internal buy-in on the goals and means of cultural change, particularly from the leadership of the business itself. This includes leveraging and building on existing structures that can be used to foster compliance, as well as reinforcing consistent (and repeated) communication about compliance. These tactics will help management to ingrain a new compliance-focused culture in a company by encouraging employees to become more personally invested in the process – a recipe for lasting change. A successful monitor knows that cultural reforms will have a short shelf life if they are imposed on an organisation against its will, hamstring the company’s financial goals or never gain traction with the employees who remain at the company long after the monitor has moved on to the next engagement.
Is cultural reform necessary?
Every organisation experiences compliance breaches where responsibility legitimately rests on a few bad actors rather than a cultural failing. At times, rogue employees can circumvent even the best compliance programmes, but those incidents should be rare in a healthy corporate culture. When they arise, a robust compliance programme must detect the misconduct and then take swift and deliberate action to punish the wrongdoers, no matter their level of seniority. A healthy compliance culture learns the hard lessons from each compliance breach, then uses those lessons to fortify the organisation’s control framework going forward.
The monitor’s first task is to assess whether an organisation’s misconduct can be fairly attributed to isolated bad actors within a particular business unit or division, or whether the misconduct reflects deeper systemic failures across the organisation that can be traced to corporate culture. This assessment should be multifaceted, considering the tone set by management at the top and how that translates to tone in the middle; the company’s compliance framework, including how it measures and incentivises compliance; the company’s proposed remediation to violations of compliance policies and the law; and the company’s existing personnel, particularly whether anyone involved in the misconduct remains at the company. Armed with this assessment, the monitor will know whether and to what extent cultural change is necessary and possible, and then begin the careful process of reporting those results to senior management, the board and the relevant government authority. It is absolutely essential to carefully educate the organisation’s leadership of the monitor’s findings rather than simply to impose reforms based on them; if the monitor claims there is a culture problem, but has not marshalled the facts to demonstrate and convince leadership of the scope and severity of the problem, senior management will rightly criticise the monitor for overreach and make meaningful change all but impossible.
Assessing the tone from the top and the middle
Tone from the top, according to the Ethics and Compliance Initiative (ECI), a leading non-profit organisation focused on developing best practices for compliance programmes, is often considered to be the ‘elusive but necessary condition for success’ in creating a culture of compliance. No less important is whether and how middle management reinforces the tone set by senior management. Indeed, it is critical to assess tone in the middle, given that middle managers typically have more extensive interactions with employees who ultimately will either embrace a culture of compliance or will not. As an initial part of the assessment, it is important to evaluate the reactions of both senior and middle management to the findings of the government’s investigation (as well as any internal investigation) and to look at how management has communicated that reaction throughout the organisation, both formally (through town halls, email communications, etc.) and informally (such as in meetings and conversations between senior managers and their direct reports). Do senior and mid-level managers accept the facts made known to them through the investigative process and express a willingness to address them appropriately? Or do they seek to minimise the misconduct and claim they are the victims of overzealousness? In messaging to employees, does management describe the settlement that created the monitorship as a wake-up call and catalyst for necessary change to the organisation? Or is the monitorship portrayed as a burden and unfair punishment for the isolated misconduct of a few bad apples?
Consider these hypotheticals: in the first instance, on the heels of a large government sanction, the organisation’s chief executive officer (CEO) sends an email throughout the organisation announcing his or her commitment to compliance and compliant growth as the company tries to turn the page on its troubled past; in the second instance, the CEO does not communicate to the majority of employees at all but complains to his or her direct reports that the government investigation was an overreaching ‘witch hunt’ conducted purely for political purposes in which the company was targeted for the same conduct undertaken by its peers, a message that those direct reports then funnel down through the organisation. Obviously, these very different approaches can affect the organisation’s cultural approach to compliance in very different ways. Communications like these create a lasting impression, either positive or negative, that middle management echoes to their teams. If senior managers put their heads in the sand and refuse to acknowledge or understand the extent of the problems that led to the government sanction – and then communicate that resistance to the need for change down the chain – long-lasting cultural change will be very difficult to achieve. In contrast, senior managers who accept responsibility and recognise that change is necessary have probably already set off along the path of change, making it far easier for the monitor to shepherd the company towards broader and longer-lasting reform.
Indeed, a company’s efforts to install and support a robust compliance programme, through adequate resourcing and the tone set by leadership, has taken on increased significance. In October 2021, US Deputy Attorney General (DAG) Lisa Monaco delivered a speech and accompanying memorandum announcing several changes to the US DOJ’s corporate criminal enforcement policies and practices, including rescinding prior Department guidance that ‘suggested that monitorships are disfavored or are the exception’. DAG Monaco announced that the US DOJ ‘is free to require the imposition of independent monitors whenever it is appropriate to do so in order to satisfy our prosecutors that a company is living up to its compliance and disclosure obligations under the [deferred prosecution agreement] or [non-prosecution agreement]’. DAG Monaco added that the US DOJ is ‘committed to imposing monitors where appropriate in corporate criminal matters’ and ‘should favor the imposition of a monitor where there is a demonstrated need for, and clear benefit to be derived from, a monitorship’. Prosecutors are guided by the following two broad considerations when assessing the need for and propriety of a monitor: ‘(1) the potential benefits that employing a monitor may have for the corporation and the public, and (2) the cost of a monitor and its impact on the operations of a corporation.’
The Monaco Memorandum made clear that monitors still ‘may not be necessary’ when a corporation’s compliance programme and controls are ‘demonstrated to be tested, effective, adequately sourced, and fully implemented at the time of a resolution’. On the other hand, even where a company is making enhancements to its compliance programme in response to misconduct, if those enhancements have not yet been tested, a monitorship still may be imposed.
Once installed, the monitor’s assessment regarding organisational misconduct may join and build on prior government investigations. For example, in August 2020, the Bank of Nova Scotia (Scotiabank) entered into a deferred prosecution agreement (DPA) with the US DOJ, including the imposition of an independent compliance monitor, in connection with criminal charges in respect of a price manipulation scheme involving thousands of episodes of unlawful trading activity by four traders in the precious metals futures contracts markets. The DPA set forth that Scotiabank’s compliance function ‘failed to detect and deter the four traders’ unlawful trading practices’, despite three Scotiabank compliance officers possessing substantial information regarding unlawful trading. Despite ‘significant investments’ to improve Scotiabank’s compliance function, the US DOJ determined that an independent compliance monitor was necessary because the remedial improvements had not yet been fully implemented and tested to demonstrate their effectiveness in detecting and preventing similar misconduct in the future. As such, the monitor was armed with knowledge that the misconduct may have been limited to a few bad actors, but Scotiabank’s compliance programme still needed to be solidified and tested.
In making the assessment of tone at the top and in the middle, the monitor should examine a variety of media and communications. Email and written communications are the easiest to review, but the monitor should also attend key town hall meetings or gatherings where senior management communicate with a large number of managers and employees. Similarly, committee meetings of managers on areas that relate to the monitorship may also be fruitful in determining whether and how compliance-related communications have translated into running the business. The monitor can learn a lot from initial and follow-up interviews with senior management, and selected interviews with managers further down the line.
Finally, the monitor should assess management’s tone around compliance through management’s day-to-day interactions with the monitor. To be clear, no snap judgements should be made in the initial days of a monitorship as management adjusts to the presence of a very foreign and unique presence within the organisation, but over time, the following questions may arise:
- Does management approach the monitor as a partner in improving the organisation or more as a litigation adversary whose interests are antagonistic?
- Is management transparent in communicating with the monitor, or does the monitor have to go to great lengths to obtain relevant information?
- Does management point out perceived compliance weaknesses to the monitor, or stay silent and hope that the monitor does not discover those weaknesses on his or her own?
The more cooperative and transparent management is with the monitor, the more likely that cultural reform has occurred, is under way or is unnecessary. Obstructive behaviour, however, should be regarded as a harbinger of trouble.
Assessing the compliance framework
The current state (and historical development) of a company’s compliance framework also speaks volumes about its culture. A compliance framework shows how much the company values the importance of the compliance function in identifying and mitigating existential risks. A wealth of resources exist to help a monitor evaluate compliance programmes, including, to name a few:
- for the United States: the US Sentencing Guidelines, the Justice Manual and the ‘Evaluation of Corporate Compliance Programs’ guidance from the US DOJ’s Criminal Division;
- for the United Kingdom: the Serious Fraud Office’s ‘Evaluating A Compliance Programme’ guidance released in January 2020; and
- globally: the Organisation for Economic Co-operation and Development’s ‘Good Practice Guidance on Internal Controls, Ethics, and Compliance’ and its ‘Anti-Corruption Ethics and Compliance Handbook for Business’, or the International Organization of Standards 19600 Compliance Management Systems guidelines.
There is no shortage of guidance to be found beyond these resources, and familiarity with the basics of good compliance programmes is essential to ensure that a monitor can capably identify any gaps in the company’s existing compliance structures, while also getting the necessary grasp on where the company is culturally.
As every corporate culture and monitorship is different, the compliance standards set forth in the literature cited above will only get a monitor so far, but there are certain common themes to examine.
First, the assessment needs to have the necessary scope and depth to avoid the common error of validating a programme that looks great on paper but is not implemented effectively, and does not actually identify and mitigate risky behaviour. For example, consider an organisation with a strict global anti-corruption policy that forbids giving anything of more than US$25 in value to a government official without advance written approval, conducts web-based anti-corruption training in 10 languages, has a third-party due diligence protocol and requires internal audit to conduct periodic audits of corruption risk. On paper, this has all the hallmarks of a robust and effective compliance programme, and a monitor who relies on a handful of presentations and interviews may come away with the sense that there is little more to be done.
Although senior management may be relieved to receive a monitor’s report to this effect, the monitor has done the entity no favours. A more diligent monitor would do a more careful assessment, which could include testing employees’ understanding of the training and auditors’ understanding of relevant risks. Such a monitor would also assess whether the due diligence protocol and audit fieldwork are covering all relevant aspects of the business’s day-to-day activities and whether the compliance group is effectively monitoring conduct to make sure that it comports accordingly with the policy. In so doing, the monitor may discover that, although the company has a sound policy, its effectiveness is limited because:
- the policy is not effectively communicated or policed and employees do not seek written approval in advance;
- employees carry out the online training but report that it does not address the realities they see on the ground and is hard to follow;
- the third-party due diligence protocol leaves out critical swathes of high-risk third parties; and
- the periodic anti-corruption audits all come back ‘clean’ in part because the auditors who conduct them are not trained on how to identify corruption risks.
Such a programme might be a cultural red flag of putting form over substance when it comes to important compliance issues. A monitor can assess whether the programme is leading both internal and external stakeholders to believe that the organisation is doing the right thing, when the reality may be very different.
In testing for ‘paper’ programmes, a monitor should consider what efforts the company is making to monitor compliance with its policies, to seek continuous improvements to those policies, and to investigate and discipline employees if policy breaches are detected. Among other things, the monitor can evaluate the effectiveness of compliance training by conducting or reviewing employee surveys or interviews to identify what information is (or is not) being internalised. The monitor should also examine whether employees follow policies in their day-to-day practices through consistent, risk-based testing. Testing can include manual reviews of high-risk transactions, such as customer due diligence for money laundering risk or third-party invoices for corruption risks, or automated testing that looks for known, high-risk patterns. The monitor should examine how the entity performs its own tests for compliance with its policies and whether the tests are ultimately effective in surfacing questionable behaviour. It is also important to evaluate the metrics used to evaluate the programme’s effectiveness. For example, many companies count the number of people who have completed training as a measure of an education programme’s success. Counting heads in an online training ‘room’ is a necessary component of ensuring that personnel are educated about risk but it is hardly sufficient. In particular, it does not assess whether employees fully understand and follow the guidance provided by the training sessions. Better metrics include whether the incidence of high-risk behaviour decreases after employees receive training, whether reporting on issues flagged in the training increases and whether personnel more frequently seek advice from control functions about grey areas that the training highlighted. It is also important to evaluate whether the training has easy-to-follow examples and tests employees on their comprehension of the applicable policies and procedures.
The monitor’s assessment should also evaluate whether the maturity and sophistication of the compliance function correlates with the risks that the business generates. Profit-driven organisations by their very nature look for innovative ways to generate revenue and grow their business, as they should. Yet, new products, services and markets can introduce compliance risks that a start-up compliance function may be ill-equipped to mitigate. For example, a manufacturing company that exclusively operates in the United States, but then quickly expands its business globally through a series of acquisitions, may not have proper controls around corruption and export procedures – common risks for global businesses.
Firms that experience rapid growth without a corresponding maturation of their compliance function may foment a culture that prizes growth above all else and could leave them vulnerable to employee misconduct. In some cases, particularly early on in an organisation’s existence, legal personnel may be more attuned to accommodating growth of the business and may not be equipped to, or used to, serving as a check on how that business attains that growth. Thus, a monitor must assess what the legal and compliance functions look like, not just in their structure but also in their stature. Is the compliance programme respected by other parts of the company as an independent and empowered function that is a partner in helping the business grow in a compliant manner, or is it viewed as an unnecessary hindrance (or, even worse, as an accomplice to help navigate around existing policies or laws)? Do the company’s legal and compliance components have sufficient resources to identify and mitigate legal, compliance, reputational and other risks? Do compliance personnel have a spot at the decision-making table such that, even if the compliance chief does not report directly to the CEO or sit within executive management, his or her voice is nevertheless heard and respected at the highest levels of the organisation? A monitor can pull on different threads to reveal whether a compliance function commands respect, such as observing cross-functional meetings with compliance and business personnel, gathering an assessment from internal audit about compliance leadership, and reviewing how the CEO and his or her direct reports respond to compliance presentations.
Assessing the proposed remediation
A monitorship begins months, or even years, after the company first becomes aware of problems with its employees, compliance programme or corporate culture. Consequently, the company almost certainly will have already taken steps to remediate the previously identified issues. The monitor must consider and respect these initial remediation efforts and the organisation’s proposals for addressing the misconduct going forward. Even when these proposals are viewed as flawed and incomplete, the monitor must resist the temptation to reject them out of hand and impose on the monitored company his or her own perception of the ‘best in class’ compliance programme for the company. As long as the existing remediation plan provides a path to being effective, it is almost always better to work within that framework. A wholesale rejection of the company’s efforts thus far risks demoralising and undermining the stature of the existing compliance personnel and setting an adversarial tone for the monitorship rather than one of partnership. Moreover, the hard work of convincing management to invest in the existing remedial plan has presumably already been accomplished, and it will be far easier to convince management of the utility of improving an existing programme than to start a resource-intensive exercise from scratch.
Further, a snap judgement about the company’s past remedial efforts also runs the risk of being wrong. What may have worked at another company in another monitorship might not fit this particular company’s business and culture. Instead, it is important to understand why the company chose the remedial path it did and leverage that work to improve the compliance programme so as to effect cultural change.
To assess remediation efforts in a meaningful way, a monitor should look both at what was accepted and implemented in response to the government’s findings of misconduct, as well as at what was considered but rejected. This provides insight into management’s thinking and gives the monitor a starting point for remedial solutions that are likely to fit within the organisation. Are there ideas that were thrown out before the monitorship began that could actually be effective with some revision? Were they rejected because the business misperceived the extent of remediation necessary? Did business managers push back on proposed remedial measures and, if so, what was their rationale? The historical interplay between business management and compliance personnel over different avenues of remediation can provide significant insights into what motivates the business, and what kinds of compliance reforms will meet resistance or engender business support in the future.
Assessing the personnel
One of the most important and challenging aspects of a monitor’s initial assessment of a company’s culture is its evaluation of the people in the organisation – at a multitude of levels.
The monitor can play an important part in helping the company make sure all the direct participants in the misconduct are gone. Under the US Sentencing Guidelines, for example, companies must make reasonable efforts to remove personnel in positions of substantial authority that the organisation knew (or should have known) were engaged in misconduct. Identifying the principal wrongdoers is often straightforward and will typically have largely been completed by the government or internal investigation, but it is also just as important to understand and identify those who may have knowingly supported or enabled them. In a monitorship with a backward-looking assessment, there is the associated benefit of alerting management to personnel whose historical behaviour may warrant further scrutiny. Management may decide those personnel need further training, better compliance incentives or should be transferred within – or even out of – the organisation. Even in a monitorship focused only on the current control environment, the monitor, through interviews with key personnel, can help management identify personnel who do not buy in to cultural reform, minimise misconduct, erect roadblocks to change or are obstructive. In the first instance, the monitor should attempt to work with those individuals and their supervisors to develop support for reforms. But if those efforts prove unsuccessful, it is the monitor’s obligation to share his or her concerns with more senior management, the CEO, the board of directors or even the appointing government authority if the monitor believes that the individual will be an impediment to the reforms necessary for the company to avoid recidivism.
The monitor’s role can also be important in helping a company identify and potentially empower ‘change agents’ who are already within the company’s ranks. Change agents are those within an organisation who have a demonstrated track record of fostering compliance (or at least pushing for reform) and the commitment to help lead the organisation in its cultural transformation. Change agents – who may be located within the business, legal, compliance or elsewhere – can be key to facilitating a broader transformation, because their visibility in the organisation conveys a persuasive message that sustainable change emanates from within the organisation, rather than from external forces. The monitor can help to facilitate that process, identifying voices that may not have previously been heard, searching for obstacles that may have held them back and helping to clear the way for change agents to lead the organisation down a more compliant path.
Implementation – fixing corporate culture
At the end of this initial assessment, if the monitor concludes that the culture in all or part of the organisation contributed to the misconduct, and that existing efforts to address it are unlikely to be sufficient, the monitor is then faced with the difficult task of working with management, the board of directors and, potentially, the appointing government body to change that culture. In setting out to change a corporation’s culture, it is important to avoid common pitfalls. Change management thought leader and Harvard Professor John Kotter, for example, has argued that most large-scale corporate culture transitions founder because they fail to generate a sense of urgency, to establish a powerful guiding coalition, to develop and communicate a vision, or to fully embed changes into the corporate culture. And Harvard Business School Dean Nitin Nohria and Professor Michael Beer contend that about 70 per cent of corporate change initiatives fail because, in the rush to change their organisations, managers immerse themselves in ‘an alphabet soup of initiatives’ – failing to recognise the real human toll of efforts to change and, ironically, focusing on too many conflicting ideas about how to change a company rather than a single coherent strategy.
The existing scholarly literature, though helpful, will only get a company so far. An effective monitor will need to use all the tools in his or her toolkit to fix a broken culture. The most relevant are discussed below, including getting internal buy-in, leveraging and building on existing structures, and reinforcing consistent, repeated messaging.
Obtaining internal (and business) buy-in
A monitor is most effective in shepherding large-scale change when he or she has the buy-in of the key components of the organisation itself, particularly, as discussed below, from those running the business. To be sustained, cultural change must be driven or adopted from within, rather than imposed by an outsider against the company’s will. When imposed from the outside, change tends to dissipate quickly after the monitorship has ended. Of course, internally driven change demands willing partners. This strategy works best when senior leadership – as demonstrated through the work done in the monitor’s initial assessment or otherwise – is invested in effectuating change.
On the other hand, senior leadership’s failure to buy in to needed cultural change can have significant consequences. For example, Standard Chartered Bank had its independent compliance consultant’s term extended multiple times for sanctions violations, most recently in April 2019, because, despite paying substantial fines and making substantial efforts to improve its compliance culture, the business and senior compliance leaders had still failed to take steps to block or better identify prohibited transactions, even after identifying compliance risks.
Perhaps the most important constituency to bring on board for cultural change, however, are the personnel in the organisation’s business units. Regardless of how good an organisation’s legal and compliance functions are, the business is where the culture is shaped and lived in day-to-day decisions. As the ECI recognises, an effective compliance programme ‘aligns with the larger objectives of the business’. A more compliant culture requires an organisation, in the first instance, to commit to ethical and compliant behaviour rooted in policies, laws and ethical principles. Achieving this culture demands a commitment to specific reforms. Business personnel need to embrace the overall goal of compliant growth and sign up to the specific reforms that will aid the organisation in reaching that objective, with the understanding that, in the long run, the company will be more successful in the marketplace if it is regarded by its customers, regulators and government investigators as a compliant company that conducts itself in an ethical manner. In other words, revenues will increase as the company regains the trust it may have lost with its customers as a result of the misconduct that led to the monitorship. And the bottom line will improve as costs related to investigating misconduct, responding to regulators and settling with the government drop precipitously, as well as through increased efficiencies that often accompany the alignment of incentives between employees and management brought about by a more compliant culture. Getting buy-in from managers and employees throughout the chain of command within the business helps to ensure that the message that compliance is important gets internalised, and will inspire employees to invest in the company’s efforts to change.
Although a monitor may have the mandate to impose reforms on business units, the goal of sustained cultural change is better served if the monitor instead can persuade the business of its benefits. Ideally, this would occur through direct interactions with senior management, resulting in buy-in for the monitor’s recommendations. The monitor must be an advocate and build its case to business management that a problem exists and, if left unaddressed, the problem will cost more in the end than the proposed reform, through additional investigations and fines, increased reputational costs, inefficiencies or distraction of management. But if management refuses and unreasonably digs in its heels, the monitor should leverage the power of the company’s board of directors or the government authority that appointed the monitor to get management to see the light. The monitor can inform the board or the government authority of management’s intransigence, either informally or formally through the monitor’s reports. If these efforts are unsuccessful, the monitor can issue his or her recommendations, use the remaining period of the monitorship to report on implementation, and then rely on the continued vigilance of the board of directors and the appointing authority to give the reforms time to fully take root and – it is to be hoped – improve the company’s culture alongside them. But this result should be a worst-case scenario, as it has the least chance of effecting cultural change that will best prevent recidivism.
If business managers do not embrace cultural change, they may also jeopardise the company’s resolution with the US DOJ. As announced by DAG Monaco, the US DOJ will impose ‘serious consequences’ on companies that breach the terms of their DPAs or non-prosecution agreements (NPAs). In October 2017, NatWest Markets’ broker-dealer subsidiary, NatWest Markets Securities Inc, entered into an NPA with the US DOJ following a years-long securities fraud scheme involving allegations about misrepresentations in the purchase and sale of collateralised loan obligations and residential mortgage-backed securities. In December 2021, the US DOJ imposed an independent compliance monitor and issued another US$35 million fine, restitution and forfeiture on NatWest Markets after it ‘breache[d] the terms of [the 2017 non-prosecution agreement] with the government’. Labelled a ‘repeat offender’, NatWest Markets pleaded guilty to various fraud schemes in the markets for US Treasury securities and futures contracts. DAG Monaco noted that ‘[c]ompany executives should realize that investment in compliance programs can avoid situations like this, and take action accordingly’.
Efforts to reform in one business unit, even with the help of a monitor, can leave a company vulnerable to cultural problems in other business units, leading to additional legal and reputational risk or the appointment of another monitor. For example, State Street Corporation, already working with a monitor pursuant to a 2017 DPA concerning one business unit’s failure to disclose commissions to customers on billions of dollars of securities trades, entered into a new DPA and agreed to hire another monitor as a result of a different business unit’s failure to disclose markups to routine charges for out-of-pocket expenses to custody clients.
As discussed above, a successful monitor will also have (or develop) a keen understanding of the entity’s business to understand what drives its profitability and growth, and use that understanding to convince the business that a more compliant business is not incompatible with a growing and more profitable business. To be effective, this is when a monitor must demonstrate the ability to add significant value – as an outsider with independent authority and freedom from the organisational hierarchy who can marry the twin goals of compliance and growth. Demonstrating a keen interest in the business and a desire to find a path to compliant growth also will allow the monitor to gain the necessary credibility with the business so that the monitor’s recommendations are respected as necessary and practical. The alternative – dictating reforms without regard to the underlying business imperatives – will inevitably frustrate the process and diminish the monitor’s credibility, and therefore his or her ability to achieve sustainable reform. A monitor also should be prepared for the possibility that certain business practices are simply not compatible with compliance policies and the law. For example, business personnel often decry restrictions on what they can give to government officials, claiming that such practices are the only way to do business in certain countries. In those moments, the monitor needs to stand firm. Although the first imperative is to draw on experiences with other monitored entities or clients to help the company find a compliant path forward, if the business genuinely cannot survive in a certain market without breaking the law, the company may have to be prepared to exit that market.
Getting business unit buy-in may also require marshalling historical facts to give business management the needed wake-up call. When a monitorship includes a historical component, the monitor’s investigation can expose the facts and scope of misconduct to business management who may have previously lacked awareness or turned a blind eye. If managers do not know the full facts of what occurred previously, they may be less inclined to make the decisions necessary to achieve cultural change. Although a company may initially view the requirement of a backwards-looking investigation as a costly, punitive measure, if harnessed effectively by a monitor, it can be a critical tool for motivating cultural change. Specifically, it may demonstrate the extent to which the misconduct was driven by historical cultural issues that may still be present despite the post-investigation remedial conduct in which the company has engaged. Put simply, if the company did not understand the extent of the problem, it cannot be expected to take all the necessary steps to fix it. If a monitorship has no historical component, a monitor should look to the results of internal investigations, regulatory investigations and his or her initial assessments, and use those facts to frame the need for change as necessary.
Another key way to achieve internal buy-in is to encourage (and even require) the company, and in particular its business components, to play a part in finding the solutions to problems identified by the monitor or the company itself. A company is much more likely to buy in to a reform, particularly one that is potentially transformative, that comes from within as opposed to one that is forced on it by an outside party. In addition to the benefit of the business ‘owning’ the solution, it can apply its superior knowledge and expertise to craft sustainable reforms that are consistent with its business objectives. Soliciting ideas from the business also will help the company view the monitor not as an enemy but as a partner to help it follow a better path – which is in line with the goal of a monitorship being remedial, rather than punitive.
Leverage and build on existing structures
As discussed above, one of the greatest effects a monitor can have is empowering voices already within the organisation and removing obstacles that stand in their way. This applies not only to people but also to ideas.
A company rarely needs to start entirely from scratch. There are typically existing processes or procedures already in place that could be used more effectively to enhance compliance or to communicate new compliance values. For example, enterprise risk assessments, internal audit processes and existing data sources can all be used as a starting point for a company to better understand and assess its compliance risks. Data analytics, discussed further below, is an increasingly important tool to mine existing data sources for suspicious conduct. The monitor plays the critical part of identifying the processes or procedures worth keeping, and helping the company augment and deploy them to improve compliance. And the best ideas often originate from company personnel, who are embedded in the business and have a keen sense for what processes are most likely to succeed.
Consider the following example. Business managers at a company were falling short on compliance and were not meeting senior management’s expectations that they would identify and address certain compliance risks among their subordinates. After discussing this finding with senior management, the monitor declined the invitation to propose a solution and instead encouraged the company to develop its own path forward. With the guidance of the monitor, business managers devised an innovative solution that went well beyond the monitor’s mandate, and therefore beyond any solution the monitor could have recommended. As a result, the company created a whole new system of executive accountability that grew organically from its own business leadership and was embraced by their teams as a positive change.
Of course, sometimes it will be up to the monitor to introduce his or her own solutions to problems when the company is unable or unwilling to forge its own path forward. But even in this situation, the monitor should bring the company into the process of shaping the proposed reform by sharing draft recommendations, soliciting input on how to improve them and then working with management to find the best ways to implement the recommendations.
Reinforce consistent (and repeated) messaging
To be successful, cultural change requires a vision that employees can rally behind and that management can point to as the rationale for decisions being made that affect employees (sometimes negatively). Inculcating a compliant culture requires reinforcing this vision through regular messaging because, as compliance experts Nitish Singh and Thomas J Bussen note in their practitioners’ guide for compliance management, employees are more likely to behave more honestly and responsibly if senior managers express their vision of an ethical corporate culture ‘loudly and consistently’.
An effective monitor should encourage and help a company use every vehicle possible to communicate the company’s vision for a compliant culture and its plan to achieve it. A company that is serious about change, and instilling and maintaining a culture of compliance, should:
- repeat the core messages behind the organisation’s cultural shift and new vision at town halls, management presentations and public discussions;
- make compliance a core part of the company’s code of conduct, which is key to setting the appropriate tone and is one of the most visible manifestations of the values and culture of an organisation, both to employees and the outside world;
- ensure messaging is consistent, with no deviation from the message that compliance is important and a part of the core culture; any deviations should be immediately addressed. If necessary, managers who refuse to support the message, or who undermine it, should be considered for disciplinary measures or even dismissal. For example, a company should pay careful attention to managers who undermine compliance personnel in team meetings, downplay the importance of (or ignore) compliance risks in town halls, or excuse compliance breaches of their top-performing revenue generators; and
- teach new behaviour by example, set the tone from the top and reinforce that tone down through the management ranks.
As the ECI’s Ethics and Compliance Handbook notes: ‘Setting an appropriate tone for ongoing discussions about ethics and compliance is one of the most important roles an organization’s board and senior managers can play.’ Guidance from the US DOJ echoes this sentiment, telling prosecutors to look at how senior leaders have encouraged or discouraged compliance ‘through their words and actions’. That means senior managers, as well as lower-level managers, must not only talk the talk, they must walk the walk.52 A manager who walks the walk, for example, will often confront tough decisions, such as terminating the contract of a top-performing salesperson who regularly circumvents the rules, even if that decision causes a short-term hit to the manager’s financial performance.
Set the right tone from the middle
Middle management serve as both the emissaries of top management and the supervisors of those who are most responsible for carrying out and adhering to the company’s policies. Their involvement is critical to the success of any effort to change the corporate culture. Most employees, especially at larger organisations, have little direct contact with senior management and so will take their strongest cues from those managers who supervise and interact with them regularly.
An effective monitor can help to reinforce a compliance-driven culture in middle management. It can push for and provide guidance on rewriting a company’s code of conduct, identify through monitoring and testing where messaging has deviated from the expectation of compliance, push senior managers to walk the walk themselves by consistently messaging the importance of compliance and offering incentives that reward it, and use its reporting authority to credit middle managers who are setting the right tone for their teams. The monitor also plays a crucial part in helping an organisation devise strategies to conduct its own monitoring and testing of how it is measuring up against its improved compliance framework. With a robust testing programme in place, an organisation can better detect those employees who need additional training or guidance, as well as those who simply do not want to change their way of doing business.
Evaluation and incentives
A monitor should also look for ways to make sure employees are being evaluated, measured and compensated in a way that promotes compliance. Employees will look to the criteria against which they are measured, and the ways those criteria affect their compensation and promotion, as key signals regarding how much attention they should pay to compliance.
Government enforcement actions underscore the cost of getting incentives and compensation wrong. For example, when federal regulators fined Wells Fargo US$185 million in 2016 after finding that employees had secretly created millions of unauthorised bank and credit card accounts without customers’ knowledge, the Consumer Financial Protection Bureau pointed to Wells Fargo’s sales goals and sales incentives, including an incentive-based compensation programme, as influencing employees to engage in improper sales practices. Employees described a toxic sales culture with impossibly high targets, in which employees who did not meet daily sales goals were chastised and demeaned in front of peers or threatened with dismissal. And when Wells Fargo settled criminal and civil claims brought by the US DOJ and the Securities and Exchange Commission (SEC) regarding the bank’s improper sales practices for US$3 billion in February 2020, the government pointed to the bank’s ‘onerous sales goals and accompanying management pressure’ as leading ‘thousands of its employees to engage in unlawful conduct’. In particular, the government noted that senior leadership ‘contributed to the problem by promoting and holding out as models of success managers who tolerated and encouraged sales integrity violations’. Although, fortunately, situations this extreme are uncommon, a monitor must be sensitive to a culture that incentivises misconduct and must work with the company to realign this incentive system.
Importantly, when it comes to determining business employees’ and their managers’ compensation, the monitor should look to see whether it is based only on financial performance or if it also incorporates compliance metrics. For example, if business personnel shoulder responsibility for conducting due diligence on third-party agents, are they also evaluated on the quality of the due diligence they perform? Does the company specifically measure how well business personnel execute their compliance responsibilities and is that measurement a factor in compensation decisions? Or are these personnel only measured on how much business they generate? To be sure, there is no one perfect metric to capture compliance-related performance, and any such determination is likely to be conducted on a different basis in any given company. But a monitor can help a company identify compliance metrics that are appropriate to its business, capture both positive and negative performance, and then feed into compensation decisions in a meaningful way.
Ultimately, employee incentives should be aligned to promote compliance (and deter non-compliance). A successful change effort will use both ‘carrots’ (in the form of positive incentives, including financial incentives) and ‘sticks’ (in the form of disciplinary measures) to instil and repeat the message of a compliant culture. A company’s compensation system should be structured to avoid incentivising employees to misbehave and instead both penalise bad behaviour and reward good behaviour. The rewards and penalties built into the system should be aligned with the message from management about the new culture of compliance.
The question of whether to reward ethical conduct – or simply to expect it as the norm – is one that has generated controversy. Publicising when an employee makes choices in line with an organisation’s compliance goals and rewarding those who are exceeding the performance of their peers, sends a powerful signal of how to be successful at that company, not to mention providing real-world guidance on operationalising the company’s stated values. As one example, at a monitor’s suggestion, a business division that sought to improve its culture of compliance devised metrics to evaluate personnel on compliance-related topics, then used those metrics to award increased bonuses to employees who demonstrated top compliance performance. Within one year, the division experienced what its leadership described as a ‘sea change’ in attitudes about compliance. The US DOJ’s guidance for evaluating corporate compliance programmes similarly noted that ‘some companies have also found that providing positive incentives – personnel promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership – have driven compliance’. In 2020, the US DOJ reinforced the importance of positive incentives and observed the use of compliance metrics to reward behaviour: ‘some companies have even made compliance a significant metric for management bonuses and/or have made working on compliance a means of career advancement.’
Another tool to effect cultural change is through negative incentives and, in particular, to ensure that the company’s disciplinary process is in line with the intended message of the importance of compliance. The monitor should ensure that employees who engage in misconduct that is in any way similar to the misconduct that led to the imposition of the monitorship are treated with the appropriate level of severity. Nothing will undermine management’s stated goal for change more than seeing a recidivist employee receive a slap on the wrist for the same type of conduct that was the impetus for reform. Further, employees should be consistently disciplined for misconduct. If rainmakers or star business generators receive a ‘pass’ or are disciplined inconsistently (or not at all) because they are valuable to the business, this can undermine all other efforts to improve the company’s culture. Such a practice can breed resentment and resistance, and obscure the message that compliance is important for all in the company. As the ECI observed: ‘Employees are careful observers of how their employers impose discipline.’ When a monitor sees inconsistency in the disciplinary process, this should be highlighted for the company and a revamp of the way discipline is handled can be suggested. In addition to sending the right cultural message, the consistent imposition of discipline and rewards is an important way to demonstrate that a compliance programme is more than just a ‘paper’ one.
Companies are now awash with data – from their employees, contractors and customers – and many struggle with how to employ that data in their compliance programmes. It is imperative that they do so. For example, regulators have made clear they are using ‘big data’ to investigate wrongdoing and they expect companies to do the same. Indeed, at a conference in November 2019, the Assistant Director of the SEC’s Foreign Corrupt Practices Act (FCPA) unit and Acting Principal Assistant Chief of the US DOJ’s FCPA unit expressed that they expect it will soon be the norm for companies to make use of data analytics in their compliance programmes, including to better detect corruption and fraud, with the SEC’s FCPA Assistant Director noting that ‘from the SEC point of view the answer is pretty clear: it’s absolutely a good thing’. In fact, Wells Fargo received significant cooperation credit in its 2020 resolution with the US DOJ and the SEC in part because it assisted prosecutors ‘in complex data analytics projects’ as part of their investigation.
Big data can also be a useful tool in assessing the health of a company’s compliance culture. At the outset of a monitorship, data analytics can serve to help identify compliance weaknesses and pockets of resistance to cultural change. And as the monitorship progresses, data analytics can serve as an important tool in the monitor’s toolkit to assess, using qualitative data and concrete metrics, whether policy changes, training and changes in the tone at the top are in fact taking root in the organisation and effecting cultural change, or whether old habits continue to persist, and where. For example, a company can analyse trading activity to assess whether brokers are adhering to newly implemented restrictions, or mine travel and expense data to test whether sales personnel are complying with stricter rules on interactions with government officials. It is thus increasingly important for a monitor to consider carefully how a company can be encouraged to use data analytics to drive and measure cultural change, and to tailor use of the data to the specific risks and data sources of the company. In considering how to do so, a monitor should start with a few basic questions:
- What data sources already exist in the company (for example, third-party payments data, internal expense reports, ‘know your customer’ data or other financial transaction reports)? Can these data sources be analysed to detect compliance risks? How?
- What data does the company already analyse for reports to management and to track financial performance? Can that data be analysed from a different perspective to identify high-risk areas or weaknesses in the company’s controls? For example, if a company’s management regularly receives reports about new business being generated, can that information also be analysed to identify high-risk geographical regions where the company’s customer base is expanding and anti-corruption controls may not be keeping pace with business growth?
- How do the company’s existing data sources align with its compliance risk areas? For example, if the company faces significant corruption risk because of its global nature, does the company analyse vendor payments, travel and entertainment expenses and funds to distributors (such as margin payments, discounts and marketing support) for anomalies that could indicate potentially corrupt transactions?
- Are the right people given access to data? Do senior managers and compliance officers receive the requisite granularity to manage risks within their functions? For example, if a company is required by government contracting rules to meet certain country-of-origin requirements for materials purchased from suppliers, do compliance personnel and senior supply chain managers have access to data regarding the country of origin for each material or part purchased on a given contract?
The answers to these questions will inform a monitor’s efforts to help the company successfully integrate data analytics into its compliance programme efficiently and effectively, leveraging existing data and resources where possible. When data that are already being collected can be repurposed to analyse a company’s compliance risks, this may be an easy lift. But if this is not the case, a monitor can help the company make risk-based decisions about where collecting new data or investing in new technology makes sense – and where it does not.
The use of data analytics to root out misconduct before it gets reported to a hotline or develops into a more systemic failure serves to emphasise a company’s commitment to rooting out problems and addressing them. Data analytics, however, rarely work well as a compliance tool when used in insolation. Instead, they should be viewed as simply one component of a holistic approach to compliance. In guiding a company along the path to cultural change, a monitor should emphasise the importance of integrating data analytics into a broader approach to compliance embedded deep in a company’s culture, without abandoning the human judgement and analysis that form the core of any successful compliance programme.
Many of the assessments, processes and tools described in this chapter are hallmarks of any effort to revamp a corporation’s culture. A monitor, however, occupies a unique middle ground – not an insider but also not the government – that allows him or her to press on different levers and apply external pressure to an organisation that might not otherwise undergo necessary cultural change.
One of the monitor’s most prized tools in helping to effect cultural change is the power of reporting. A monitor often enjoys a high level of credibility with a company’s board of directors and the government authority that made the appointment, and as a result, a monitor’s words are amplified. For management, a report criticising a monitor’s efforts to reform its culture as lacking can lead to highly negative consequences, including to compensation or continued employment. Similarly, a report that gives credit where credit is due can bolster certain managers in the eyes of the board of directors and the company’s regulators. The monitor must use his or her credibility and the power of reporting to incentivise change, and give management every chance to earn a positive report, while never wavering from his or her duty to provide truthful and accurate information about the company’s challenges and failures.
Another important characteristic of monitorships in achieving cultural change is the monitor’s experience and credibility as an external expert. A monitor is not invested in how the company has always done things and is not a part of the existing hierarchy. As an independent third party, a monitor can marshal historical evidence to shine light on the problems that led to imposition of the monitorship in the first place, and create the requisite sense of urgency and a wake-up call for change. Because of this, an effective monitor can also empower individuals and ideas that have been ignored within the organisation in the past. A monitor is also able to facilitate change at all levels, by virtue of communication and interaction with everyone from senior management to rank-and-file employees. This broad perspective allows a monitor to see the full picture, putting him or her in a uniquely strong position to help a company chart a path with full awareness of how to avoid unintended consequences.
Ultimately, the task before a monitor in effecting cultural change is to help the company develop the tools of a compliant culture, and then teach the company how to use them so that the company itself steps into the monitor’s shoes after the monitorship ends. Ideally, by the conclusion of the monitorship, the change agents within management should be empowered and acting on the monitor’s invitation to proactively identify compliance risks, and proposing and implementing solutions to address them. By the time the monitor leaves, the company should have recognised that a compliant culture is also good for the bottom line and have an unwavering commitment to continuing along the path it established with the monitor, so that cultural change will endure long after the monitorship has concluded.