Three months ago – just minutes before teaching the first class in my law school course on anti-corruption law and corporate compliance – I had what a cardiologist matter-of-factly described as a major heart attack. Luckily, I was quickly transported to a top-flight hospital with expertise in cardiac care, and received a stent in a coronary artery that addressed the immediate problem. Discharge from the hospital, of course, was only the first step in recovery, as cardiac care team members strongly emphasized my need to de-stress and maintain a heart-healthy diet and a regular exercise program.
During my recovery, it occurred to me, as someone with an abiding interest in corporate compliance issues, that a “compliance failure” –that is, a situation when a company finds that it is or could be subject to a major enforcement action because of its failure to maintain an effective compliance program – can involve a number of experiences comparable to a heart attack. What follows is a wholly personal list of observations and “lessons learned” for compliance officers based on those experiences.
When your internal-control systems are telling you that something’s wrong, don’t ignore them or rationalize the warnings away.
For approximately four days before my full-blown heart attack, I was experiencing significant, but irregular, radiating pain from the center of my chest and the same level of my spine. Neither I nor my family had any history of heart problems, and I was inclined to write it off as just unusually severe heartburn or acid reflux. When I took a look at a few online checklists of heart attack symptoms, they described symptoms different from mine (e.g., pain in the arm or jaw, chest pressure or tightness) or symptoms consistent with non-heart issues (heartburn or indigestion).
A potential compliance failure can begin much the same way. When your team comes across data-based compliance concerns — say, repeated or frequent instances of high-risk client behaviors or significant anomalies in financial transaction patterns — treat their concerns seriously, whether or not those instances or anomalies are the type of problem that you have seen before. As they say in the investment world, past performance is no indicator of future results.
Even if people in higher authority tell you there’s nothing wrong, don’t ignore the evidence you have.
On the fourth day of my higher-level chest and spine pain, I finally decided to go to the emergency room of a highly reputable hospital in my city (“Hospital Number 1”) . After six hours of miscellaneous tests – including one that disclosed abnormal levels of an enzyme characteristically released during heart attacks – the ER physician (not a cardiologist) mentioned but dismissed the possibility of a heart attack, and urged me to see my primary care physician soon. Cheered by that diagnosis, my wife and I high-fived. The next day, my full-blown heart attack hit.
The history of compliance failures that cost companies ten of millions, even hundreds of millions, in penalties (plus costs of legal representation and monitorships) is replete with examples of companies in which senior executives dismissed or downplayed compliance risks, or even systematically constricted a compliance function’s budget, that led to those failures. Even in the face of resistance from senior leadership, compliance officers need to stand firm and reiterate their concerns and the factual basis for those concerns and to cite, wherever possible, the enforcement penalties that other companies paid for similar inattention to compliance.
Once it’s clear that you have a compliance failure on your hands, move quickly to establish lines of authority and coordination, to diagnose the problem correctly, and to begin proper remediation immediately.
When my heart attack occurred, the EMTs transporting me said, “You don’t want to go to Hospital Number 1, you want to go to Hospital Number 2 (another nearby hospital) because they’re the best for cardiac care.” Their judgment was right – in short order, a bevy of nurses and cardiologists that included very senior and expert doctors moved quickly to reduce my pain, decide on a course of treatment, and install my stent within hours of my arrival. Though the attack was almost certainly triggered by stress from my overloaded schedule of teaching, consulting, writing, pro bono lawyering, and so on, the first order of business was to address the most immediate threat and work discussion of possible causes into the course of treatment.
As soon as it’s acknowledged that your company has a compliance failure on its hands, don’t waste any time in playing your part to assemble the right team of experts – such as compliance specialists, lawyers, and forensic accountants –and promptly to diagnose the full scope and breath of the problem correctly and identify the most important steps toward remediation. Foot-dragging by the company in timely identifying and producing records and other data, for example, can count against the company despite professions of cooperation.
Recovery is a long-term process.
Full recovery from a serious heart attack is a long-term process that begins right after the immediate response to the attack. Although my hospital stay was only two days, I immediately started reassessing how much I needed to reduce my workload and overall stress (greatly), to make changes in my diet (modestly), and to exercise (far more than recently). I am now well along in a months-long cardio rehabilitation program to strengthen my heart muscle, and am committed to maintaining regular exercise even after I complete the program.
Full recovery from a compliance failure is also a long-term process. Throughout a company’s negotiations with prosecutors and regulators, senior management needs to initiate and implement remedial measures, even when some of those may prove uncomfortable or even personally painful (e.g., recommending disciplinary action against or firing of favored colleagues). Slowness in taking such disciplinary and remedial measures can also count against the company in resolving the compliance failure. That also means committing the necessary human and fiscal resources to execute those remedial measures and sustain them for the longer term.
* * *
Ultimately, companies need to recognize that unlike heart attacks, corporate compliance failures are entirely avoidable, as Amy C. Edmonson says in her invaluable book the fearlesss organization. That recognition may start with senior compliance officers, but needs to extend laterally to mid-level business managers and upwards to senior management and the board of directors. To paraphrase the old saying about an ounce of prevention, investing in a sustained and effective compliance program is worth tens of millions of dollars (or more) of cure.
* * *
Jonathan J. Rusch is Director of the U.S. and International Anti-Corruption Law Program and Adjunct Professor at American University Washington College of Law and Adjunct Professor at Georgetown University Law Center.