As an alumni of Baylor University, Eric has closely followed the allegations that Baylor University violated its obligations under Title IX. Six months after his first episode looking at this issue, Baylor University, unfortunately, is still in the news. What’s going on? What lessons can compliance professionals learn from Baylor University and how this compliance failure has been handled?
Baylor University’s Board of Regents have provided a playbook of what not to do when responding to a compliance failure. When looking at how Baylor has handled this situation, Eric considers three key teaching moments. First, Baylor’s problems dispel any belief that private companies or private universities can handle these issues internally and without public scrutiny. Second, he considers how Baylor’s response continued to damage its reputation and how reputational harm damages the University overall. Third, he talks about the importance of transparency.
At the end of the episode, Eric lays out three steps that Baylor University’s new president, Dr. Linda Livingstone, should take to repair the reputational harm and restore confidence in the University. The allegations that Baylor faces are compliance failures and evidence that the organizational culture needs to change. Dr. Livingstone has a hard road in front of her. But it is possible to come back from this sort of scandal when you commit to transparency and creating a strong ethical culture.
What’s the difference between compliance and corporate culture? Is there a difference? How do they work together? In this episode, Eric looks at how two airlines, United and Delta, responded recently to challenges they faced and how their responses speak to their corporate cultures. Both airlines faced operational failures. The juxtaposition of their responses are excellent teaching moments and examples that compliance professionals can give to demonstrate the relationship between compliance and corporate culture.
United has a bad week. Much attention has been focused on the gentleman who was recently physically and forcefully removed from a plane. But there is a much bigger issue of corporate culture that ought to be the focus here. It is clear that several United employees who witnessed this incident abdicated authority or failed to question actions of other employees. This inaction speaks to United’s culture in way that ought to be of more concern more than the incident.
When considering what happened when United employees, we must look at how many individual failures had to happened for this to occur and what this tells us about United’s culture.
Compliance and corporate culture aren’t in a box that you take off a shelf. Growing an ethical culture is hard work. Corporate culture and compliance are integral to everyday operation. United’s challenge show us that corporate culture greatly affect what happens when frontline employees witness misconduct and fail to report it. These failures affect how an organization conducts its business.
Delta had to cancel 3,000 flights when extreme weather shut down Atlanta’s airport. It was a difficult situation and a much bigger disruption to operations than the incident United faced. But there was a night and day between how the airlines addressed the problem as Eric witnessed firsthand when he was stuck at Atlanta’s airport because his Delta flight was cancelled. Each Delta employee he encountered had an attitude that recognized the extent of passengers’ inconvenience and also tried to make their experience better.
When looking at two operational failures and the airlines’ reactions, you can the impact of a strong ethical culture and the apparent lack of one. Delta’s culture was flexible to take on operational failure. How would United employees handle the cancellation of 3,000 flight?
How do you approach a culture like Delta’s? There’s no easy answer when you are considering how to fix an unhealthy corporate culture. Clearly, one part of fixing corporate culture is the message from the top of the organization. The tone from the top must be strong about values and the fact that you can come forward and speak up when others act unethically or illegally. These two examples are important examples for your business units because they show the real consequences of corporate culture on organizations’ bottom lines.
Before joining Crowell & Moring, Laura prosecuted healthcare fraud in the Fraud Section of the Department of Justice. In this interview, Eric and Laura discuss what the Department of Justice looks for in an effective corporate compliance program and how the government makes charging decisions. Eric and Laura talk about the impact of the Department of Justice’s new guidance, the Evaluation of Corporate Compliance Programs, the Department of Justice’s position on remediation, and how the Yates Memorandum has affected prosecutors’ decisions to charge individuals involved in corporate misconduct.
As Eric returns from the Society for Corporate Compliance & Ethics European Ethics & Compliance Institute in Prague, he shares the hot topics of discussion at the conference. He discusses his three main takeaways from the conference.
First, there is strong interest in corporate culture in Europe. Focus on ethical culture and compliance can vary between countries and cultures. In the past, many have held the belief that emphasis on compliance programs is not as strong in Europe as it is the US. But that’s not a fair assumption. There is a strong recognition that healthy corporate culture is essential to an effective compliance program.
Second, Eric found that European compliance professional recognized strongly the impact of collecting data and using that data to inform the development of their compliance programs. He saw a very strong commitment to benchmarking programs and a strong focus on gathering data internally for measuring performance of compliance programs.
Third, there was discussion and reaction to political changes in US and in Europe. There was particular concern about President Trump’s statements during the campaign about rolling back regulations and how this may impact perception of the need for strong compliance programs.
Just a few years ago, Europe was considered behind the United States in compliance and ethics. That is not the case today. Eric looks at three hot topics in compliance and ethics in Europe as he prepares to leave for the Society of Corporate Compliance and Ethics European Compliance & Ethics Institute in Prague this week.
In some areas, European compliance and ethics standards are exceeding the United States’ standards. In recent years, regulators in Spain, France, and other countries have consistently recognized the importance of compliance and ethics programs. In the context of anti-corruption, the United Kingdom’s Anti-Bribery Act, the Brazilian Clean Companies Act, and other efforts to curb corruption, Europe has leapfrogged the Foreign Corrupt Practices Act, which used to be the primary legal mechanism internationally for fighting corruption. For instance, the UK Anti-Bribery Act is clearly a newer law than the FCPA and expands coverage. This leads to the questions: Will Europe become the new leader in defining what makes an effective compliance and ethics program?
There are a number of similarities between what is happening in Europe and the United States. Compliance professionals all over the world are focusing on corporate culture, measuring employees through surveys, and addressing issues like retaliation and observed misconduct. The notion that Europe is behind in compliance and ethics is not accurate anymore. We are now on the same page.
As much as we see similarities, there continue to be significant differences, particularly in data security. European Union’s General Data Protection Regulation (GDPR) will go into effect in spring of 2018. This year is the last year to come into compliance with the GDRP. Organizations need to look carefully and determine whether they have any exposure under the GDRP because there are no safe harbor provisions.
When we are talking about risk assessment and the Evaluation of Corporate Compliance Programs, there are three areas to really focus on. First, the Evaluation considers how organizations create and use their methodology for risk assessment. Second, this new guidance focuses on how the data you gather informs the choices you make in your compliance and ethics program. Third, the Evaluation introduces the notion of manifested risk.
The Evaluation asks specifically: what methodology has the company used to identify, analyze and address the particular risks it face?
This new guidance also suggests that the DOJ wants to know how you gather your information to analyze. What metrics, information and data are you collecting to help detect misconduct? How has it informed the compliance program? Many organizations gather data in a number of ways—through hotline reports, direct reports to management, and other human resources data. The Evaluation is a clarion call for organizations to aggregate data and show how the information you collect affects your program.
The Evaluation raises the idea of manifested risk, which is a new concept to many people. Manifested risk is risk that is likely to occur in your organization. For instance, if you know that the risk of bribery is high and there have been reports of bribery in the past, then bribery is a manifested risk for your organization. Many organizations spend time and money addressing risks that they are not likely to face. You want to look at your organization’s history and its operation to determine what your real risks are and then address those risks. You cannot be willfully blind.
When considering risk assessment, you must always consider the frequency of your assessments. There’s no hard and fast rule, but you should complete a risk assessment periodically.
Matt Kelly started his career in compliance and ethics as the managing editor of Compliance Week magazine. He spent over ten years of his career at Compliance Week, achieving the position of Editor and Publisher. Before working at Compliance Week, Matt was a freelance newspaper writer. After leaving Compliance Week, Matt founded his own company, Radical Compliance. Radical Compliance provides consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also serves as Matt’s personal blog. Matt writes and speaks frequently on corporate compliance, audit, and governance, and now works with various private clients to understand the those fields and to develop go-to-market strategies or provide other assistance in reaching audiences of compliance professionals.