The science of compliance

In this exclusive Q&A interview, Editor in Chief Bill Coffin talks with NAVEX Global’s Carrie Penman.

Bribery and corruption is a worldwide problem that drains legitimate business by untold billions of dollar each year. For compliance officers, building a robust capacity to deal with this in a way that satisfies regulators, but also in a way that acknowledges the slippery reality of bribery and without people rejecting it 100 percent is key. What do you think is the most important thing compliance, as a profession, can do to help address bribery in general, and help make this less of a problem worldwide? A lot of companies are international or global in scope, straddling widely varying cultures, where one might have little tolerance for bribery and corruption, and another might see it as an inevitable cost of doing business. How can compliance best deal with such a cultural divide?

This is a very serious worldwide problem, but it has only been getting serious attention over the last 10-15 years. While the FCPA was passed in 1977, there was not much enforcement until the early 2000s. Many countries and companies had anti-bribery laws/policies on the books, but enforcement wasn’t happening. That made it a challenge for some companies to get the attention of their leadership on this issue, let alone the notice of sales teams. As a result, many organizations were surprised by anti-corruption efforts when the big fines were paid in recent years.

The cultural divide is not just across borders, it is also within organizations. Competing priorities within organizations send mixed messages, particularly if incentives are misaligned and people feel like they have no choice but to skate close to the line or ignore the warnings signs of potential corruption. So much of what compliance officers do is impacted by incentive programs that are set by the board and driven by executive leadership. This is something I frequently talk to boards of directors about, and it is one of the most important ways they can oversee a program.

Managing incentives is critical to compliance. Think about the types of personalities we all look to hire in sales roles. We want risk takers, people who push hard and think creatively. Then we add in pressure to meet targets so we must incentivize the right behaviors and de-incentivize the wrong ones. I recall a long-ago training conversation with salespeople who complained that our policies were preventing them from winning business. There was one really vocal person who argued that they were at a significant competitive disadvantage because they were not allowed to pay bribes. Finally, I got so frustrated, I said, “Does this company pay you enough to go to jail? They’re not paying me enough. Bribery isn’t a game. It has serious consequences, and we need to change the mindset around it. I don’t look good in horizontal stripes.”

But how do you truly reach people when they feel like they have no choice when it comes to bribery? First, there needs to be a clear policy, communication, and alignment across the board of directors, the executive team, sales, and marketing. Then there needs to be due diligence and third-party risk analysis/screening to make sure there is a clear business purpose for who we hire. The DoJ’s 2012 FCPA guidance is helpful. But, compliance officers can’t do this alone. It starts with incentive planning at the board level and a genuine commitment from leadership to walk away from business, if needed. The board and leadership team need to understand why otherwise smart people continue to consider paying bribes.

I also think there is an opportunity for regulators take some accountability here and to be less adversarial. Corruption hasn’t been a priority for them for that long either. I think most companies now understand that bribery is bad and they are working hard to build strong anti-bribery programs. The appointment of a compliance counsel at the DoJ who has been in-house is a great start. And as the DoJ shares more stories of organizations that are not prosecuted because they self-reported and took accountability for past issues, this will help compliance officers. If organizations can build trust with the government, maybe we can turn the focus to the real problem of global corruption instead of on each other.

Regulatory risk is increasing to an unprecedented level not just for companies and organizations, but for their compliance officers, as well. With compliance officers facing direct legal repercussions for potential compliance failures under their watch, and with a sense among regulators that there is a greater need to provide the public with highly visible enforcement actions, what does this all mean for compliance officers in general? Is this a major challenge for the best and brightest to rise to? Is this a reason to leave compliance altogether?

I strongly believe it’s for the best and brightest to rise to. This job is not for the faint of heart. You need strong leadership and management skills to succeed in this role. You need trusted business people with good judgment, a reputation for the highest integrity, and people who are culturally aware and politically astute within the organization. The best compliance officers have a strong understanding of business operations and processes. You cannot be effective as a compliance officer if you don’t understand the business. You also need to be a level-headed problem solver, not a Chicken Little, to be respected by all levels of leadership. It takes the best and brightest to find that balance within the role, to know when to raise the red flag, and when to help the organization collaborate on problem-solving.

I find the recent focus on compliance officers by regulators to be very troubling. Elizabeth Warren asked the former CEO of Wells Fargo not only if he had fired the leader of the affected units but also if he had fired the head of compliance that oversaw the division. Wow. If people feel that there is a target on their backs, then we will start to lose the best and brightest within the profession and miss out on this critical opportunity for compliance to be a strategic partner.

That being said, I always advise people to take this job carefully. I have been in a few consulting situations where the compliance officer has a leadership team that doesn’t get it, is very comfortable with risky behavior, and wants to have a compliance officer as someone to blame. I have advised them to leave the role. I recently read that Marsh & McLennan came out with a specific liability insurance policy for compliance officers within the last few months. You have to be a little concerned that they felt there was a business opportunity here although, when I was promoted to ethics officer at Westinghouse in 1994, my husband congratulated me and then upped our personal liability policy.

I always advise people to take this job carefully. I have been in a few consulting situations where the compliance officer has a leadership team that doesn’t get it, is very comfortable with risky behavior, and wants to have a compliance officer as someone to blame. I have advised them to leave the role.

Liability is always going to be a risk. Compliance officers obviously need to be vigilant. It helps to periodically step back and do a gut check and look for any blind spots or gaps in the program, just to make sure there isn’t something you’re missing. Good documentation is also important. And, make sure you are covered on the organization’s D&O liability policy. But, this is not a reason to leave the profession.

In the last 10 years, compliance has evolved substantially, both as a discipline and as a profession, but nowhere do we see this more than in an organization’s culture. Where once compliance might have been seen as a kind of “hall monitor” or “speed limit,” it is increasingly invited to the C-Suite to participate in an elevated and strategic discussion about an organization’s values, aims, and methods. Where do you see this transformation, on a wide scale? And where do you see it going in the next 10 years?

When I started, it actually was an elevated position. I reported to the CEO and was involved in strategic business discussions, including how we managed the shutdown of the company in an ethical way. So, I started with an enlightened organization and a visionary general counsel as a partner. But sometimes, compliance officers can be their own worst enemies. At times, we make ourselves the hall monitor. The job doesn’t come with a badge. Respect is earned, and I think that the amount of increasing professionalism the industry is trying to build is very important. I don’t want to see us morph into checklist checkers and the department that only says, “no.” We lose our value that way. We have a responsibility to demonstrate our ROI to the organization and the value of having compliance at the table. It is our role to help find solutions that work within compliance.

As an example, I was doing a video-based training program with a group of managers to train the trainers. One of them told a story about how the school asked his son to sign a pledge to not watch TV for a week. His son later came to him asking to watch just one favorite program. The manager proudly reported that his son didn’t watch the show. After the session, I told him that they had another option; they could have recorded the show and watched it the next week and still be in compliance with the pledge. I still use that story because there was absolutely no skirting of compliance with that solution, and it’s about how we can help people find solutions and not just say “no.” That’s how we get invited to the C-Suite to help ID the problems we need to solve together.

The modern compliance field has largely stemmed from a reaction to major ethical and compliance failures, and it sometimes seems that the most support compliance gets as a function, and the most progress it makes as a discipline, is when it’s spurred on by a recent problem that underscores the need for strong compliance. And while this can be helpful, it’s not especially proactive. Would you agree with this or disagree, and why?

I agree, and at NAVEX, we see it all the time. When an organization needs us because they are in trouble, they really need us fast. Unfortunately, if many of these companies had taken the time and resources up front, the cost to their reputation and bottom line would be lower. It’s the age-old problem of measuring cost avoidance. We can be more proactive and communicate more about risk strategies to help avoid failures. But, we need to put it in the language that business leaders speak. For example, I have stopped referring to the Federal Sentencing Guidelines and refer instead to best practices frameworks. Executives are tired of hearing about sentencing guidelines and this doesn’t resonate with anyone.

ABOUT CARRIE PENMAN

Carrie Penman never set out to be a compliance officer. In college, she studied to be a textile scientist, which landed her a job with Westinghouse, where among other things, she did environmental engineering work to help prevent the accidental release of radioactive material. At the same time, she was heavily involved in Westinghouse’s community service programs and ran the company’s United Way community fundraising campaign during the William Aramony scandal when the United Way’s leader was under investigation—and would later be jailed—for defrauding the organization of some $1 million.
The dark cloud the scandal created made Penman’s fundraising task difficult, but by scaling down corporate parties, stripping them of glitz and glam, and focusing instead on donations and community service, she managed to deliver Westinghouse’s biggest Pittsburgh community fundraising results on record. This put her in front of the executive team, who then tapped her to start a companywide ethics program. This was in 1994, at a time when Westinghouse didn’t have a lot of women in leadership.
Over the next five years, as Westinghouse’s first ethics officer, Penman built a  program rolled out to some 76,000 employees worldwide. In 1999, she shut the program down when Westinghouse was dissolved, but by then, Penman had been on the board of the Ethics & Compliance Officers Association (ECOA) and went to work there as deputy director and ethics officer, where she spent a lot of time talking with members and helping them set up their own ethics and compliance programs.
After four years at the ECOA, Penman joined what is now the advisory services team of what is now NAVEX Global. And since 2003, Penman has been doing consulting work. Much of what she does nowadays is problem solving with client executives and helping organizations put the pieces of a compliance program and culture together in a way that best serves each unique organization. That’s where she says having a science background is helpful and now that she is the compliance officer for NAVEX, she can champion ethics and compliance from within her own organization, as well as help advise those firms on the outside.
Penman’s unconventional career has made her one of the compliance community’s most widely respected voices. Compliance Week sat down with Penman for an in-depth conversation about her views on the greatest challenges and opportunities facing compliance today, where the future of the profession lies, and how compliance officers can better advance their cause by learning how to act—and speak—like their counterparts outside of the compliance function.

It helps to present ethics and compliance in a context that is meaningful to the organization, in the organization’s language, and in terms of risk strategy and mitigation. Obviously, there are still times when we see a problem that has to be confronted, and we have to call things as we see them, but we can do it in a constructive way. Frankly, this is expected of all senior leaders.

I do a lot of board training, and I always have a very current event as a case study on how a board handled or didn’t handle an ethical situation well. There is a lot of group-reflection in these discussions. I often go into meetings with the daily newspaper, which I have done for 20 years. There is always something to learn from these front-page scandals, but there are still organizations that don’t see compliance as adding value. We unfortunately, have to continually demonstrate value but sometimes, it takes a scandal to really focus attention and get resources.

We often hear about “tone at the top” and the “mood in the middle” but when we see major ethical and compliance fiascos, we are reminded of how systemic problems can often become. Compliance professionals often talk about addressing compliance, governance, risk, and ethics holistically. But where does that truly start? From what direction does it progress most successfully? From the top-most leadership who are expected to drive it with big ideas? From the lowest levels, where it is most immediate to day-to-day operations?

We need alignment at all levels. The board needs to care about culture and incentives—not just results. Organizations need to have an executive level compliance committee that includes business leaders, even if on rotating assignment, to define strategy and approach. We need management at all levels that are rewarded not only for what they do, but how they do it. And we know that employees want to take an issue directly to their manager without fear of retaliation and just get it addressed.

Effective organizations equip their 1st- and 2nd-level management with the tools they need to feel confident in their roles because taking our best engineers and making them managers doesn’t mean they automatically have the skills to be a good manager. We owe it to our frontline managers, our first line of defense, to give them the training and the resources to support them so that if an issue comes up, they know what to do.

We also encourage organizations to have all managers track and report all issues raised to them. At NAVEX, we offer an organizational reporting form for managers to input issues so the organization can get a more holistic picture of what they are dealing with up and down the chain. Then you can pick up patterns because you know where they are coming from. Is it happening in one location or business, or is it systemic? Documenting all issues in one place provides much more actionable information. So, it takes the tone at the top, the mood in the middle, and a lot of buy-in from the frontline. You need to address all three or it won’t work.

How much progress do you see, truly, among top business leadership in the United States and internationally to diversify board structures regarding gender? And how much diversity do you see within the compliance field? And what are the greatest challenges you see for women who are striving to make their mark in compliance, while also seeking to be given a strategic role at the top-most levels of their organization when those levels often don’t seem to be as inclusive as they could be?

It is a complicated issue. I worked really hard not to differentiate myself because I am female. I wanted to earn respect from the work that I did and not because I was the first female this or that. I believe gender is still an issue when you look at management teams and boards, though. When I prepare for work with new clients, I review their leadership team online and there are still too many organizations that only have women in “the usual roles.” It is interesting though, when I train boards, I often find that they have good diversity. I don’t know if it’s cause or effect that I am there with them, but the more diverse boards seem to be more open to the type of discussion I lead.

In the compliance field, there is tremendous opportunity for all who are interested—men and women. I joined the field when compliance officers tended to be a senior-level executives (mostly men) taking their last job before retirement. They knew everything about the organization, knew where the bodies were buried, and didn’t give a hoot who might be upset if an issue was raised. I learned a lot from those guys and will always be grateful for their pioneering leadership.

The trend shifted in the early 1990’s and the compliance role became an opportunity to provide a senior-level, highly-visible opportunity for a high-potential individual to demonstrate his capability. That’s when more women started to take the leading ethics and compliance roles in large complex organizations. I think of Patti Ellis at Raytheon and Diane McDaniel at Texaco. We were all in our mid-30s and were given these very responsible high-level positions to figure out and make work. Ethics and compliance became an incredible opportunity for women in business and we seized it.

Over the last 10 years, we have seen the compliance community shift from professionals from outside of compliance who were essentially drafted or recruited into a new role that had to be filled, to professionals who are actively training for, and seeking careers in, compliance. With that in mind, how much would you characterize the current compliance community, percentage wise, between that first wave of professionals and the second wave? Or does the community not break down into camps that easily?

Percentage wise, I don’t have a good guess but you are right, there have been two ways to get into this field. One way is knowing operations and learning compliance. The other is to come out of compliance and learn the operations. There are many success stories in both directions. Professional organizations are now certifying compliance officers, so the profession is becoming a recognized career path. When I started, people didn’t move between organizations because there weren’t enough experienced compliance officers available to move. Now it is a highly competitive market.

I am also very pleased to see business schools with business ethics as a recognized major. You know you’re finally an embedded profession when business schools make it a course of study. I’m an executive fellow at the Bentley University Hoffman Center for Business Ethics, which just celebrated its 40th anniversary. Mike Hoffman, a true visionary in the field, started the Center and later launched the ECOA from there. The Center was built literally in the middle of a business school. Now, I am proud that a member of my team at NAVEX graduated from the Bentley University business ethics program and is pursuing this career path right out of college.

As for the current community, the first wave of operations-based professionals retired, and the next wave is starting to do so as well. To continue what has been built, we need to continue to add people who are committed to this as a profession. This is not just something that you do, it is something you are. It is a commitment. Originally, the ethics officer role for me was intended to be a developmental assignment. It became my profession.

I found that the people who do this for a living are thoughtful, people-oriented individuals (even though I am a scientist) and the effective ones have good business savvy and are truly moving the needle in the C-Suite. It is why I wanted to stay. It’s a strong profession that adds a lot of value and return to the organization. And I am very excited to see what the next generation brings to the profession and how they take it to the next level.

What do you like most about this career you have chosen? What has it given to you that you most value? And what does it enable you to give back to your colleagues, your employer, and your craft?

As I said earlier, when we closed down the Westinghouse program I knew I wanted to stay in the field. It is why I joined the staff of the ECOA and why I am now consulting for NAVEX Global to help our clients build their programs. I was never in it for the sake of legal compliance. I was in it because of the people and the difference we could make in their work environment and culture. An organization’s leadership can’t be everywhere, and things happen at locations where senior leadership isn’t present. Employees need to trust that they can raise the issues and if they are being shut down locally—that they have another place to go.

If employees believe in and trust their organization and its leadership to do the right things, then legal compliance will happen. They will pay attention to their training and actually reference policies. They will ask questions and raise concerns. Ethics and compliance officers are in a unique position to help facilitate this trust and shouldn’t lose sight of this critical role. I see too much singular focus on regulations and box-checking lately. It is, and always has been, about culture. Every scandal we read about comes down to a conflicting set of values, priorities and culture and the external investigation reports most often identify a misaligned culture as a primary driver of failure.

Throughout my ethics career, I have always had a passion for understanding how and why employees do or don’t raise issues. The scientist in me studied the data from our helpline to better understand where we may have brewing issues, and a follow-up by the internal audit team usually validated the concerns. Joining NAVEX Global and having the opportunity to research and benchmark the data from over 12,000 organizations was awesome and has allowed our team to provide the most in-depth analysis and feedback to the community on this topic.

There is one thing that drives me crazy, though, and that is calling employees “whistleblowers.” All of our Codes of Conduct or mandatory training tell employees that they have an obligation to raise issues or concerns about any suspected or known misconduct. So why do we stick a derogatory and intimidating label on an employee who is just doing what we ask and train them to do? It sounds like we don’t really mean it and we would rather that they don’t speak up at all. For some organizations, perhaps that is intended. But for those organizations that have invested significant resources in building an effective ethics and compliance program, it is a clear choice to make to respect our employee reporters.

In the 13 years as a consultant, I have had many opportunities to work with NAVEX Global clients, literally around the world and also to give back to the E&C community. I enjoy every opportunity to speak at conferences and to meet new compliance officers.

Some of the most rewarding work our advisory team has done has been in the area of culture assessment. One engagement in particular was perhaps our proudest. We were hired by the chairman of the board of directors of a very large global company that was in the line of fire from the government and the media for a series of issues. We interviewed senior executives and met with a number of employees in focus groups confidentially. Our findings related to both business and cultural issues. The organization took these to heart and made a series of major organizational and operational changes. The chairman told me months later that we had “materially and fundamentally changed the way they operated the company” and that he was very grateful for our help. We did this by listening to employees and leaders and sharing what we learned with the board in a meaningful and practical way.

In the end, for me, it is always much more about the people than legal compliance. And the science of compliance, I learned, is really an art.