Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

British Airways learns a lesson on controls

Tom Fox | June 12, 2017

The myth of the lone wolf in FCPA enforcement actions is just that, a myth. Some commentators bemoan how unfair it is that companies must pay for the sins of their corrupt employees. These commentators refuse to acknowledge (1) the company benefited from the nefarious conduct because they accepted the inevitable profits generated by the business obtained through the corruption and (2) the company knew or should have known about the conduct.

If the company knew about the conduct, it clearly was involved in the fraud. If it turned a blind eye by failing to put proper controls in place to manage the risk, it is guilty of conscious indifference. A robust compliance program would identify the risks, and part of the management of such risks would require controls around the risks to prevent, detect, and remediate them going forward. It is this integrated nature of what a compliance program should consist of that effectively precludes the existence of a lone wolf argument.

This was demonstrated yet again by the recent British Airways’ (BA) debacle during the start of the summer travel season at the end of May. For Brits, it was a Bank Holiday and for Americans, it was Memorial Day weekend. BA stranded more than 75,000 holiday passengers when it had a complete and total power outage. And what was the culprit for this massive failure? According to the company president, Willie Walsh, the entire system was brought down by one maintenance contract, an engineer who switched off the power to BA’s worldwide data center at Heathrow Airport and then turned it on again, in an uncontrolled manner.

As you might surmise, both IT experts and even the much-maligned engineering corps were skeptical of this lame excuse and it is difficult to imagine a multinational company that does not have both back-up systems and internal controls. For the compliance professional, the clear message is to manage your risks and then put controls around those risks. For BA, if your risk is that by losing power, your worldwide system will shut down, you might want to consider a back-up system or better yet, a control that does not allow one person to keep your entire company at bay during a holiday weekend.