6. The Board’s Role in Compliance
Author’s note to the revised second edition
Rereading one’s work can either be a comforting affirmation of one’s competence or depressing proof of one’s limitations – or both, which is somewhat the case here. As for the chapter as a whole, I stand by its content but for one important qualification: despite discussing ‘tone at the top’, this chapter did not previously address a critical point to consider in this regard – culture – which has been rectified in this edition.
Suffice to say, heartfelt declarations by senior management and the board of directors about integrity, honesty, and respect for the law and each other, well-done risk assessments, properly set up and staffed elements of the lines of defence, and strong and clear compliance policies, cannot prevail if expectations and rewards for performance, compensation and promotion are not also firmly and honestly pointed in the same direction, as this chapter will set out.
The blasé boardroom
As the old saying goes, ‘the fish stinks from the head down’. Applying anatomy to an organisation, naturally it may be thought that the chief executive officer (CEO), or perhaps the C-suit, is the ‘head’. But that would be a grave and even dangerous assumption to make, anatomically and organisationally, and on the compliance and ethical levels.
Until quite recently, not much was expected of a board of directors in the compliance and risk assessment spheres of corporate activity and responsibility. The compliance function, if it existed in more than name, generally had a limited, rule-enforcing role and was likely to get no more attention from the board than the physical security of plants, warehouses and inventory. You would need to sniff about to find compliance in the organisation chart, probably lumped in with all the other revenue non-producers, such as accounting, sustainability and community relations.
This board-level nonchalance towards compliance with ethical and legal standards certainly contributed heavily to the upsurge in corruption in so many countries, both in Latin America and elsewhere. The aim in this chapter is not only to show what went wrong, but how the corporate remediation response, while well-intentioned, has relied on a model of board oversight that is no longer sufficient to changed circumstances and expectations.
Looking back at enforcement resolutions of the past several decades, in various areas of bad behaviour, there has been a perturbing paucity of board-level sanctions or even public criticism.
For example, in a corruption case involving Embraer, it was revealed that the board of directors failed to take disciplinary action against a very senior executive even after the investigation showed that this executive knew of various bribe payments in several countries, made by employees who reported to him. The board’s failure to discipline or dismiss the executive led to higher monetary penalties and other sanctions. In another corruption case, a CEO was personally involved in bribe payments in Argentina, yet continued as CEO, which again led to more severe penalties being imposed on the company. In neither case was any board member sanctioned, and my review of the media coverage showed no mention of the boards, much less criticism of their actions in the face of these serious findings.
But things have been changing. An example is the replacement of several board members at Wells Fargo in 2018 as an outgrowth of the massive sales frauds committed against its customers. The lead independent director of Wells Fargo received a letter from the board of governors of the US Federal Reserve System, finding that ‘there were many pervasive and serious compliance and conduct failures during your tenure as lead independent director’. The letter tells Mr Sanger that ‘[t]o fulfill [your] role, you needed to have sufficient information from firm management to understand and assess serious problems at the firm. This would require robust inquiry and demand for further information’, which Mr Sanger did not do. The letter charges that the director was made aware of the devious sales practices and other compliance issues. However, the Federal Reserve went on to say, ‘you did not appear to initiate any serious investigation or inquiry into the sales practices problem or put a proposal to do so to the WFC board. Your performance . . . is an example of ineffective oversight’ inconsistent with the Federal Reserve’s expectations.’
The Federal Reserve was also quite unhappy with the board as a whole: ‘Management’s reports generally lacked detail and were not accompanied by action plans and metrics to track plan performance.’ (See the discussion about Vale, below.) The Federal Reserve also focused on the failure of the board to monitor and assess management incentives adequately: ‘[T]he board of directors must ensure that WFC’s performance management processes for employees, including compensation and other incentive programs, are consistent with sound risk management objectives and promote . . . compliance . . . [as these] programs played a material role in the firm’s compliance breakdowns.’
If that seems like a dressing-down for the ages, just wait. Public reaction judged the Federal Reserve’s actions and words to be no more than a wrist-slapping. A Los Angeles Times columnist wrote, ‘The Wells Fargo board is still getting a pass for failure’ and questioned why only four directors were being dropped while seven were retained: ‘A new broom sweeps clean only if it is genuinely new but . . . Wells Fargo will keep some very old bristles indeed.’
The former US Treasury Secretary and president of Harvard University, Lawrence Summers (who is hardly a radical opponent of big business), wrote in The Washington Post: ‘It has long seemed to me that we need better approaches to corporate accountability than large fines paid by shareholders of record, years after bad acts were committed.’ Turning to Wells Fargo, he asked why, in light of the clear failure of board supervision, ‘regulators are so reluctant to foist public accountability on the individuals in responsible leadership positions’. Summers added: ‘Why shouldn’t avatars of responsible capitalism such as BlackRock insist on public resignations of board members when firms have established a track record of unethical behavior on their watch?’ He reinforced the major corrective element of his advocacy: ‘Yes, my proposal will make it harder to recruit board members. This is a feature, not a bug. If board members worry about reputational risk, this will deter dilettantes interested in the networking and the paycheck.’
In Marchand v. Barnhill, a 2019 case, on a motion appealing lower court decisions holding that the pleadings were insufficient (i.e., the facts asserted did not on their face support a finding of culpability), the Delaware Supreme Court reversed. The basic facts were: ‘Blue Bell Creameries USA, Inc, one of the country’s largest ice cream manufacturers, suffered a listeria outbreak in early 2015, causing the company to recall all its products, shut down production at all its plants and lay off over a third of its workforce. Three people died as a result of the listeria outbreak… [S]tockholders also suffered losses.’
An aggrieved shareholder brought a derivative suit against various executives and the board of Blue Bell for breach of fiduciary duty.
The Delaware Supreme Court found that the plaintiff’s alleged facts supported the necessary inferences that the board failed to implement any system to monitor food safety issues and that this ‘utter failure’ by the board was in breach of its duty of loyalty.
The following is a partial list of board-related shortcomings noted by the Court:
- Blue Bell manufactures only ice cream, thus making food safety a central compliance issue, yet the board did not have a food safety committee, no board-level process to address safety issues and no protocol for food safety issues to be raised to the board’s attention.
- For years before the 2015 listeria outbreak, safety inspectors had found troubling compliance failures. The Court mentioned six reports, most of them detailing multiple problems.
- Tests, ordered by Blue Bell in 2013 and 2014, reported positive for listeria.
- The board never received any of the information in points 2 or 3.
- More negative news came to light in 2014 but board minutes reflect no discussion of these concerns.
- On 13 February 2015, the Texas health authorities notified Blue Bell of positive listeria tests. The company itself, on 19 and 21 February, found listeria in the Texas facility. When the board met on 19 February 2015, there was no discussion of the listeria problem.
- Only four days after the February board meeting, Blue Bell initiated a recall. Only then did the board discuss the listeria issue, for the first time.
- Instead of going into full disaster repair mode, the board did not meet more frequently or receive constant updates, leaving the company’s response to management.
There have been several cases coming out of Delaware in the wake of the Blue Bell case. The two most relevant ones are set out below.
The Inter-Marketing Group case involved responsibility for a pipeline company’s disastrous oil spill. It was alleged that, as in the Blue Bell case, there was no oversight of the company’s ‘intrinsically critical’ business operation. Evidence showed that pipeline integrity issues were not discussed at the board level. Nor was a board subcommittee created to discuss these matters. Further, in response to the defendant’s argument that the audit committee’s charter required the committee to ‘advise the Board with respect to policies and procedures’, the court agreed with the plaintiff’s assertion that there was no evidence at all that the audit committee had ever complied with this requirement.
In Clovis, the alleged oversight failures concerned the company’s only product, an oncological treatment for which it was seeking regulatory approval. Company officers overstated the drug’s efficacy, misapplied testing protocol standards, and misled regulators and investors. In assessing the board’s responsibility, the court stated that, ‘when a company operates in an environment where externally imposed regulations govern its “mission critical” operations, the board’s oversight function must be more rigorously exercised’.
You can add to these examples scandals at Volkswagen, Uber, Boeing (see below), CBS, Airbus, WeWork and Chipotle, and in Latin America at companies such as JBS, Biomet (later Zimmer Biomet), Biomet Argentina and Biomet 3i Mexico, Vale (more on this one later), Tyson de México, Petrobras, Odebrecht and Braskem, and SQM (Chile), to name only a few.
However, the heads that have been made to roll so far have often followed a disquieting pattern:
- the bad thing happens (whether allegations of corruption, cheating on emission standards tests, a dam bursts, publicity about a company’s pervasive culture of sexual harassment, etc.);
- the board expresses resolute confidence in management but will ‘thoroughly and independently investigate’ said bad thing;
- awkward revelations come to the fore and various C-suite members ‘resign’;
- there are more awkward revelations and the CEO walks out with his head under his arm (and often a fat cheque in his hand); and
- finally, the board expresses its shock and dismay and appoints a new CEO, often (and with no evident sense of the asburd) a member of the board of directors who was on the scene during the whole sad affair.
A perfect example is Boeing. In the case of Boeing, the ‘bad thing’ was the tragic crash of two planes – both of them its newest model, the 737 MAX, and Boeing’s tone-deaf management of the fallout.
On 22 October 2019, Boeing fired the head of its commercial aviation division. Director David Calhoun said in November 2019 that the CEO had ‘done everything right’ and should not resign. The CEO was sacked on 24 December 2019, one month after the endorsement from Mr Calhoun.
Mr Calhoun then became CEO. In an interview with The New York Times, he said: ‘It’s more than I imagined it would be, honestly. And it speaks to the weaknesses of our leadership.’ Mr Calhoun added: ‘We had a backup plan. I am the backup plan.’ Mr Calhoun was a director for nine years and had already been chair of the board for a few months by this point.
So, where do we go from here? Things have to change, right?
Confidence in corporate governance has been shaken. Media attention has been relentless and scathing, and activist shareholders and even stay-on-the-sidelines shareholders have made their unhappiness very clear. Boards have sat bolt upright and taken notice.
They have spurred management into action, who in turn have ordered the formation or bolstering of compliance departments, assertively demanded the preparation and dissemination of codes, manuals and policies, and of videos with production values Netflix would be proud of. The latter usually features the CEO talking about the importance of compliance to his (virtually always ‘his’) company, and then, while leaning into the camera, brimming with urgency and sincerity, assuring the viewer that no one takes this issue more seriously than senior management and the board. For it is they who must set the ‘tone at the top’. And they will – you can count on it.
Is this insincere? Not in most cases. But so what?
The fear is that the focus on ‘tone at the top’ takes attention away from all else that must come from the board and the C-suite, and lulls into mistaken contentment those who believe that setting ‘the tone at the top’ is sufficient. (We shall forgive whoever fell into the amatory arms of alliteration and coined the phrase.)
For tone is quite a superficial characteristic: ‘manner’, ‘mode’, ‘cast’, ‘colour’, ‘tint’, ‘complexion’ are only a few of the explanations or synonyms for ‘tone’, and these are such ephemeral and slight qualities. Add to this the constant exhortations that the top tier must ‘set the tone for the company’ with ‘clearly articulated ethical standards’ and must ‘[do] enough to publicize [its] compliance program’. Words, words, words.
CEOs and board members are led to believe that the manner in which they deliver the message is their only required contribution to a culture of compliance, and so they do not participate actively in setting up structures and procedures from the outset that will create the conditions for a compliance mindset to emerge and prosper. Boards and top executives can no longer do all the talking and leave to others all the doing.
The generally accepted major duties of a board of directors are to think strategically and to keep an eye on management. This second obligation has, over time, influenced by practices in many countries and by jurisprudence, notably in the state of Delaware (especially with its development of the ‘business judgement’ rule to protect boards from undue second-guessing), become defined largely by what the board ought not to do: directors should not be executives and should not interfere in the operations and other aspects of the daily life of the company, leaving to boards a somewhat removed obligation to hear reports, ask questions and decide matters in a reasonable, prudent manner. An important outgrowth of the business judgement rule protection is that boards ought to maintain a healthy distance from operations, lest board members be judged by a more rigorous standard because they left their safe supervisory perch and mucked about in day-to-day affairs.
This separation of executive and oversight responsibility is salutary and sensible. However, the definition of what is reasonable and prudent is protean. The repeated failures of board supervision show either that boards are not doing even the minimum that was expected of them (which is sometimes the case) or, my view, that boards, much more often, have not realised that more is expected of them.
My advice is that the board immerse itself substantively in risk assessment and compliance, rather than act in only the conventional supervisory capacity. This may seem radical and a departure from the notion that boards should not meddle in operational matters. A proposed answer is this: not only is this not radical but, in light of the repeated scandals, it is increasingly necessary as part of the prudence and care that boards owe to shareholders. As for interference in operations, I hope I am clear that my proposal is to deepen board knowledge of, involvement in and contribution to enterprise risk management, and in no way to supplant management functions.
Here is a recent example of a recognition, if belated, of these perceived higher requirements. After the crashes of the two 737 MAX airplanes, Boeing commissioned an examination of safety issues that resulted, among other steps, in the formation of a board-level safety committee. Why was this step not taken long ago? It appears that it was taken for granted that Boeing management was totally in control of product safety. As The New York Times reported, ‘[T]he board believed that [the ex-CEO], an engineer who had been with Boeing for his entire career, was so deeply informed about the business that he was a good judge of the risks involved in ramping up production’, which turned out to be a significant contributing factor to the accidents. This is a mistake boards must avoid.
A word on ‘compliance’. Compliance is used herein to include anti-corruption and anti-fraud; discrimination, harassment, conflicts of interest and related-party transactions also are the responsibility of the compliance function. But it clearly needs to be understood more broadly to include all significant business-related risks. You read of ice cream, pipelines and drugs, and you will read about dam and airplane safety, which fit into this category.
I do not advocate that the assessment of all risks, and processes to address them, should be the responsibility of the compliance department, but there must at least be in place very similar structures in conception, range of activity, and autonomy and independence, to monitor these areas of concern. The board cannot assume that these issues are being handled properly because they are an integral part of the ‘business’ of the company and so for executives to deal with, as opposed to corruption or discrimination incidents, which are not ‘business’ events.
And a thought on ‘board compliance oversight’. This is generally a delegated duty of the audit committee. While I share the increasing worry that audit committees may be overworked, an audit committee nevertheless seems to be the right oversight body. A separate governance or compliance committee might make sense in some circumstances, but such committees could suffer from not having all the information an audit committee receives. So I will refer to the audit committee as the board organ responsible for compliance supervision. Implicit in all this is that the audit committee and senior management will fully brief the board and that the board will engage actively and contribute to the efforts of the committee and management. An exception to this rule would be for a business activity that is high risk and very technical, which should have board members with in-depth knowledge of the area, and perhaps even expert non-board members in an advisory capacity.
Touched upon below are the principal compliance characteristics and structures with which the board must thoughtfully and vigorously involve itself, to ensure the healthy creation and successful maturation of an effective programme and to avoid the disasters of the past.
To quickly and demonstrably mount or invigorate a compliance function, with new or additional codes, rules, prohibitions, remedies and punishments, companies are often tempted to skip the vital step of conducting a careful risk assessment. This is like prescribing drugs before making a diagnosis.
This results from various attitudes: overconfidence (‘we know our business, we know what needs watching’), the time required, the cost and, in some instances, the worry that mapping of relevant risks will make management risk-averse (like disconnecting the speedometer so that you do not frighten yourself by your speed).
A recent EY survey of 500 CEOs and board members found that fewer than 25 per cent of directors reported being ‘very satisfied’ with the effectiveness of their risk adjustment processes and only 20 per cent of directors were confident in risk reporting from management.
Risk assessment is absolutely crucial. As the 2019 US Department of Justice Guidelines has it:
The starting point for a prosecutor’s evaluation of . . . a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.
. . . Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.
A good risk assessment exercise should:
- freshly analyse the risks of the company in its significant areas of activity;
- have the collection of information thoroughly informed by what front-line managers think their risks are and with what priority. These should be validated by interviews with senior executives;
- include transaction-testing and walk-throughs to ascertain whether what should be working is, in fact, working;
- from time to time, or for certain issues, hire external consultants;
- have as its analytical centre for the dimensioning of risks and assigning of priorities a committee that, beyond compliance, includes senior accounting, legal, controls, internal audit (IA) and information technology representatives, at least. This diverse group is not likely to miss anything important; and
- most of all, this work should be closely followed by at least one audit committee member. Hands-on, daily participation is not necessary, but frequent involvement in the data analysis and priority-setting discussions by that member is highly desirable.
From conception to operation
Even recognising that companies have different culture and compliance concerns, some fundamental principles should govern the construction of every good compliance programme. While adhesion to best practices from top to bottom may be ideal, this is not realistic. But the principles of independence, autonomy, structure and cultural compatibility are key, as they serve as the foundation to build on, how sturdy the compliance edifice is and how well it will successfully meld into the corporate landscape. The first two qualities ensure reliability; the correct structure separates the operational from support functions and compatibility ensures that the programme fits the culture and language of the company. These principles being of the first order, the audit committee must be fully engaged preserving them. Choices between ‘best’, ‘good enough’ and ‘will have to do for now’ must be made by the audit committee and management together. Not unlike other strategic business decisions, which routinely involve suboptimal elements and uncomfortable compromises, the building of the compliance function cannot be left only to executives. Based on personal experience, this is very rarely done, but it is advisable, even though it appears to cross an inviolable boundary. I believe, however, that boards will have no choice.
The importance of independence cannot be overstated. Together with autonomy, discussed below, these attributes must be self-evident and unassailable from the board down, through compliance and related functions. It is not sufficient that audit committee members be considered ‘independent’ under relevant market regulations. May a member who meets applicable requirements but who is a close, long-time friend of the CEO and other high-up executives (close friendship not being a disqualifying factor under, at least, US or Brazilian regulations) be on the audit committee? Technically, yes. But if that audit committee needs to launch an investigation possibly involving one of the executives who is a close friend of the committee member, how will that appear to regulators, shareholders and the media? If the structure is not as immune to attack as is possible, the reliability of its findings and conclusions may, and likely will, be questioned from the outset.
This same care should extend to professionals hired for compliance-related work, especially investigations. I would be uncomfortable hiring a law or consulting firm for an investigation that is doing, or has recently done, considerable other work for the organisation. The justification for hiring a close professional partner (‘they know us, they won’t go crazy’) is why hiring that firm is inadvisable: it may appear as an attempt to gain an advantage. The importance of ‘appearances’ varies widely between cultures. Generally, Anglo-Saxon cultures have paid more attention to the appearance of impropriety. For instance, most large, respected law firms in the United States put in place anti-nepotism rules several decades ago, while similarly respected firms in Latin America have been less prone to do so. The same is true with management of family-owned or family-controlled public companies. This is only to note the difference, without criticism implied. But in compliance, seeming bad is almost as bad as being bad.
Here, compliance-related functions refers to IA and internal controls. Where these are placed organisationally and to whom they report are as important to these functions as to compliance. The compliance literature is very clear on the concept of the three lines of defence, so the following is a summary.
- First line: the operational functions of the organisation, as the public-facing elements, are the front line in compliance. This is no trivial matter. A strong first line, made so by a corporate culture that persists in the incessant inculcation of ethical values, in the implacable rejection of ethically dubious conduct and in the continuous transmission by the board and senior management of the company’s values is the clearest indication of a highly effective culture of compliance. And here is where ‘tone at the top’, constant and consistent, has its greatest value. But this is an unending effort, so strong second and third lines are indispensable.
- Second line: compliance and internal controls support the first line. Note the word ‘support’. Their role is not to prohibit and punish, it is to construct processes that help the business functions do their jobs well and properly, and to monitor and improve these processes to make sure they work but do not constrain the business functions.
- Third line: IA is the last line of defence and exists to ensure that anything that passed the other lines does not go any further. It is also axiomatic that IA should be kept distinct and have the highest degree of autonomy from management, inasmuch as it is not an operational function.
Here we deal with the oversight of compliance-related functions. A thoroughly independent audit committee relying on departments that have compromising or conflicting vectors acting upon them is an empty vessel. It is in this area that the board must be most firm, because it is likely to need to make structural changes, which most organisations almost instinctively resist.
Compliance and internal controls should be together and its head should report directly to the CEO. Often the reporting is to the general counsel, but this confuses an operational function that is intended for the detection and avoidance of irregularities with the management function of the legal department to protect and defend the company from legal risks. As second-line components, these functions report to the CEO because they are, as said, supporting the business operations. The department head should also have regular and open access to the audit committee in executive sessions. Ideally, the audit committee chair should have a direct, informal relationship with the CCO. In a number of companies, the CCO reports directly to the audit committee. While I sympathise with the push for greater independence, I am persuaded that having compliance as part of the operations of the company and not an enforcement arm of the board is the better approach. This is also clearly the prevailing wisdom. Compliance should be seen by the company’s employees as a support function and not a policing one.
It is also important to protect the CCO from financial pressures; cost-cutting, downsizing and similar metrics ought not to be used for the compliance functions and any significant deviation in compensation of the CCO compared with peers should be discussed with and approved by the audit committee. Likewise, the CCO’s dismissal or demotion should only happen with the audit committee’s concurrence.
IA should report directly to the audit committee, which should set compensation for the IA head (in consultation with human resources.) I have not heard any convincing arguments against this structure but I will give the argument for it anyway. IA, the last line, catches what the first line thought it could live with, or get away with, and that the second line missed. To have a group with this charge subordinate to those who looked away, allowed, or worse, participated in the transgression, makes no sense.
Compatibility with company ways
Pity the poor CCO. Likely to be a new arrival to the company, he or she has to very quickly put together a team and build a compliance function from scratch (or from some ramshackle structure left by the predecessor). The natural reaction of the harried newcomer is to get to work at once. There is a strong temptation to go for ‘easy wins’: announce an ambitious training schedule, get the sincere CEO video on air, put a code of ethics up on the website, probably closely modelling it on that of another company (after all, ethics are ethics, regardless of the company, aren’t they?). Pity next the poor company that put the CCO in such an impossible position. A compliance programme that does not organically fit the mores and traditions of the organisation, that does not reflect and absorb its cultural and even linguistic individualities, will fail. It will be rejected by the organisation, not with anger but with disdain.
To avoid this, the CCO will need to understand the organisation deeply, viscerally and how to best inject compliance into its core rather than grafting it on awkwardly.
What has shown to work well is to form a committee. This committee, comprising senior members of internal audit, information technology, accounting, internal controls, legal and, ideally, some line managers, perhaps from procurement or sales, would be instrumental in helping the CCO to develop a programme that, in the language of the company, addresses those of the company’s risk and compliance issues that most need attention. In the structuring, or restructuring, of the compliance functions, the participation of an audit committee member is vital. This member can usefully contribute reflection on the views and concerns of senior executives and board members, and can give political and other support to the CCO. This effort, along with the comprehensive risk assessment that is solidly based on first-line worries, will result in a programme that is introduced to the organisation with the support of a broad array of respected managers. With this inclusive approach, greater and more rapid adhesion to the compliance programme should be assured.
Saving the worst for last
Let us assume that senior management (including the board of directors) accepts its responsibility for compliance and ethics. But what if there are other signals, behaviors, expectations, that the executives and the employees perceive, that fly in the face of this commitment?
Vale, a Brazilian company, is, and for many years has been, one of the world’s leading producers of iron ore. Iron ore extraction is an environmentally hazardous business. The particular hazard we need to know about are iron ore tailings, the fine-particled slurry waste by-product of the process. This mud-like, heavy liquid is collected in tailing ponds, and contained, usually, by an earthen dam.
In 2015, a dam for one of these ‘ponds’ near Mariana in the state of Minas Gerais, Brazil, owned by Samarco, a 50/50 joint-venture of Vale and BHP, gave way, causing 19 deaths, the greatest environmental disaster in Brazil’s history to date.
On 25 January 2019, a Vale tailing dam, up a hill from the small town of Brumadinho, in the same state, collapsed, loosing 13 million cubic meters of tailings, obliterating the town, killing 252 and leaving another 18 unaccounted for. In its wake, numerous investigations were launched, resulting in the CEO of Vale and a number of other executives facing homicide charges and fines in the billions of reais being levied or negotiated.
Vale itself commissioned an independent investigation, led by a former member of Brazilian’s Supreme Court. In its report, the investigative team deliberately ranged broadly in its search for answers, and ‘included aspects related to governance, risk management, corporate culture, [and] compensation policy and incentives.’
As to these issues, after the Mariana dam failure of 2015, ‘dam safety became a frequent subject at meetings of the Board [and its committees.]’ The investigation devotes pages to the dam safety reports made to the board and its committees. Though it carefully avoids any specific criticism, one is gently led to two conclusions:
- The management reports were general and vague, focused on the fact that regulatory approvals were obtained, rather than on low safety levels at Brumadinho and other dams. ‘[I]t was noted that presentations on the . . . dams made to the board of directors and their [sic] Advisory Committees signaled the safety of the dams.’ In other words, the noard was getting sanitised information.
- ‘The review identified no evidence of discussions regarding the decision to cease disposal of tailings at [the Brumadinho facility] or its low factor of safety at the Board of Directors, [or] its Advisory Committees.’ It is fair to infer that management chose what data to convey, and the board chose to do what many boards are accustomed to: receive the reports, make sure that their substance is recorded in the minutes, and no more.
The report points out at Vale ‘a strong hierarchical structure that is resistant to the exposure of problems to higher levels . . . Furthermore, there was no incentive for questioning decisions made at higher hierarchical levels.’
It also points to a ‘siloed environment’, with business units reluctant to share information with the corporate level:
[There] was a work environment that lacked transparency and that did not encourage personnel to raise concerns and/or question leadership decisions . . . This cloistered and closed structure led to relevant information that was understood to be unfavorable to generally remain restricted to . . . the Iron Ore Division.
Vale was, to be kind, solipsistic. Discussions of dam ruptures were framed by monetary considerations only, without taking into account the loss of life. They focused mostly on workplace safety, with little attention paid to risks to neighboring communities, that is, ‘without the necessary focus on process safety (e.g., minimization of large-scale risk . . . inherent to operation in a hazardous industry.) . . . [M]ere regulatory compliance is rarely sufficient to generate the safety of highly complex structures.’
The investigation also highlights a phenomenon prevalent at Vale, the ‘normalization of deviance’, where repeated exposure to departures from norm over time inures those responsible from the need to deal with these variations.
The report registers ‘a major emphasis on financial aspects’ of dam safety, finding little or no focus on safety measures. The report states that there were no safety goals for compensation purposes in 2018, and in 2016 and 2017, the only such goals were the completion of external audits and the obtention of favourable inspection certificates.
Another company to look at is Boeing and its troubles arising out of the crashes of two of its recently introduced MAX aircraft, in October 2018 and March 2019, resulting in the death of 356 persons.
The media coverage, a US Congressional Investigation, and a settlement with the US Department of Justice reveal a troubling story.
Boeing, after decades of near-total commercial aircraft dominance, began in the mid-2000s to lose significant market share to Airbus. In 2010, it found itself in a battle with Airbus for significant orders from American Airlines, until then a loyal Boeing customer. The then-CEO was under ‘explicit pressure from the Board to . . . bolster profit’.
To satisfy American Airlines and others, the roll-out of the MAX needed to be at supersonic levels. So breakneck speed in design and production was a must. And Boeing did all it could to push these along. This might seem like the expected maximisation of profit the markets require, but Boeing is not a book publisher or a department store chain. So why did it act as such? Why did it not sufficiently recognize the ‘mission critical’ nature of its commercial aviation business?
There are signs that Boeing began to lose its way over 20 years ago. In 1997, it bought the failing McDonnell-Douglas aircraft manufacturer. It soon became apparent that the McDonnell-Douglas culture completely overwhelmed Boeing’s. Wags in Seattle would say ‘McDonnell Douglas bought Boeing with Boeing’s money’. Harry Stonecipher, the McDonnell-Douglas CEO that took over leadership of the combined entity could not have been clearer: ‘When people say I changed the culture of Boeing, that was the intent, so it’s run like a business rather than a great engineering firm.’
An ethics review commissioned in 2004 at the request of the US Air Force found that employees ‘almost universally’ pined for the days before the merger, when Boeing was an ‘association of engineers . . . [that] spoke . . . engineering and safety as a mother tongue . . . Finance wasn’t a primary language.’
In the US House of Representatives Report on the 737 MAX crashes, Boeing employees are cited about the company before the merger: ‘Multiple current and former Boeing employees . . . [have] described their excitement and enthusiasm in joining one of the world’s most esteemed companies . . . They viewed Boeing as an engineer’s paradise . . . where safety was always at the forefront.’ The House Report continues: ‘The prowess of the engineers... [was] replaced by the accounting acumen and financial decisions of business executives.’
A veteran business journalist, Jerry Useem, points to the move of Boeing headquarters from Seattle to Chicago in 2001, 1,700 miles from the nearest Boeing commercial airplane assembly plant. ‘The isolation was deliberate.’ The then-CEO said that when headquarters are close to principal facilities, ‘the corporate center is inevitably drawn into day-to-day business operations.’ That statement, Useem observes, ‘captures a cardinal truth about [Boeing]: The … MAX disaster can be traced back … to the moment Boeing leadership decided to divorce itself from the firm’s own culture.’
With this background, the following revelations of the House Report and from the media are not surprising:
- An LA Times columnist wrote that the inaction of the Boeing Board after the first crash ‘suggests that the Boeing Board didn’t view it responsibilities as extending beyond the company’s bottom line…’ The columnist points to the decision in 2011 to ‘tweak’ the existing 737 model rather than design a new one, as Airbus was doing. The then-CEO, under ‘explicit pressure’ from the board to ‘bolster profit’, chose to limit cost and speed up the development of the MAX, which led to software solutions, including the MCAS stability software that has been identified as the major factor in the MAX crashes.
- A Fox Business article quotes Nell Minow, of Value Edge Advisors, the ‘queen of good corporate governance’: ‘The move from a manufacturing mindset based on quality and safety, to a finance mindset’ leads her to hold the board of Boeing as ‘completely responsible for the failures at the company.’
- Boeing strove to ensure that regulators not require simulator training for the MAX, as, among other issues, it had a contractual obligation to Southwest that would have meant up to US$400 million in penalties should simulator training be mandated.
- The head of the MAX development team had installed ‘countdown clocks’ in meeting rooms to reinforce the importance of any hour or day wasted. He described these clocks as ‘excitement generators’.
- A Boeing test pilot, after undergoing the MCAS stability exercise on a simulator, described the result as ‘catastrophic’. The FAA, the US aeronautics administrator, defines catastrophic as: ‘Failure conditions that are expected to result in multiple fatalities of the occupants or . . . fatal injury to a flight crewmember normally with the loss of the airplane.’
- The chief project engineer of the MAX Project admitted that when he approved the MCAS software he was unaware of two problematic design features or that one of his own test pilots described simulator results as ‘catastrophic’.
- Edward Pierson, a graduate of the US Naval Academy, a 30-year Naval oﬃcer, joined Boeing upon retirement from the US Navy. He was a ‘senior leader’ of the MAX final assembly facility. Pierson, troubled by what he saw as safety concerns, raised them with the general manager of the MAX project, Scott Campbell. Pierson and his superior finally had a meeting where Pierson said that in the military, faced with these issues, ‘we would stop’. Campbell, predictably echoing Stonecipher, responded: ‘The military is not a profit-making organization.’ Pierson then went up the corporate structure, writing several letters to the CEO and even to the entire board of directors. Pierson never heard from the CEO or any board member, and chose to retire early.
An industry analyst points to the distancing, both culturally and physically, at Boeing as a prime reason for its troubles: ‘[What was lost] was the ability to consistently interact with an engineer who in turn feels comfortable telling you their reservations . . . As a recipe for disempowering engineers in particular, you couldn’t come up with a better format.’
As early as 2000, the renowned business scholar Jim Collins warned that Boeing ‘always understood it was an engineering driven company, not a financially driven company’. If Boeing was not ‘honoring that as their central mission, then over time they become just another company’.
On 7 January 2021, the US Department of Justice announced that Boeing had entered into a deferred prosecution agreement in which the company is charged with one count of conspiracy to defraud the United States through misleading statements to regulators by Boeing employees. Boeing agreed to pay over US$2.5 billion, consisting of a criminal penalty of US$243.6 million, compensation of US$1.77 million to MAX airline customers, and US$500 million for a fund to compensate the families of the 346 passengers who died in the two crashes.
So now we have to change our whole culture?
If any culture has the problems here discussed, then the anwer is yes. Even so, it is indispensable that management consistently and committedly behave in the right way. In many cases, there will be no appetite for profound change because it requires from senior staff and managers behaviours that often do not, or no longer, come naturally: to be humble, to listen, to be thick-skinned, to be fair-minded, to be patient, to be accessible, to view oneself as a colleague – you have the final say, but don’t let that get in the way of hearing people out, and don’t make them feel inadequate or that they’re wasting their time.
Amy Edmondson, a Harvard Business School professor, in referring to the MAX accidents and problems at the Boeing 787 Dreamliner plant in South Carolina, wrote: ‘This is a textbook case of how the absence of psychological safety – the assurance that one can speak up, offer ideas, point out problems, or deliver bad news without fear of retribution – can lead to disastrous results.’
Edmonson explains that while humans are ‘finely attuned’ to risk, they are sensitive mostly to interpersonal risk, overvaluing comfort and safety now, and undervaluing the vague, the improbable, the far-off risks. There is a term for this: discounting the future.
Humans do not want to make waves, be Cassandras, or be seen as negative or difficult. She quotes another scholar, who has written that ‘bosses live in a fool’s paradise’: ‘Bearers of bad news, even when they are not responsible for it in any sense . . . tend to be blamed . . . The result is the “mum” effect: subordinates soften bad news . . . or avoid passing it along. Therefore, in a steep hierarchy it is a happier and happier story that reaches the top ranks.’
The only way to change this, according to Edmonson, is by having ‘the behavior of managers up and down the line . . . vehemently and continuously supporting psychological safety’.
- Setting times and places for team members to speak up;
- having these meetings frequently, so the sting of criticism and bad news is diluted; and
- setting rules of engagement.
She concludes with this: ‘It needn’t take a tragedy to change a culture. What’s needed is speaking up and tuning in.’
An MIT Sloan School of Management publication quotes MIT senior lecturer Neal Hartman on Boeing: ‘Of greatest concern is the fear that employees were either uncomfortable or not empowered – or both – to take their concerns to appropriate levels in the Company.’ We know now that it was much more serious than that. At Boeing, Pierson, the Navy veteran, had to wait five months to get a meeting with the general manager of the MAX project and received a curt dismissal. He wrote to the CEO, he wrote to all the board members, more than once. And got no reply. He wasn’t uncomfortable or felt unempowered. He was ignored.
Rosabeth Moss Kanter, also at the Harvard Business School, says her studies of successful turnarounds provide a ‘flight plan’ for Boeing to fix the culture. Before approaching shareholders, including regulators, elected officials and passengers with ‘humility and a listening stance’, Boeing must first deal with its employees: ‘Elites generally think things are better than the average workers do’. (I would add that elites often think they are better than the workers, too.) ‘If that’s true across the board, imagine how much worse it is for Boeing as the negative employee emails show’.
The CEO ‘should roll up his sleeves, mingle with the masses . . . to see what life is like in the rest of the company. He must communicate early, honestly and often . . . The . . . CEO must set the tone by putting people first in every leadership action he takes.’
 Andrew Jánszky is an independent practitioner with more than 40 years’ experience in international capital markets, mergers and acquisitions, corporate governance and compliance.
 United States of America v. Embraer S.A., Deferred Prosecution Agreement, 24 October 2016, p. 4.
 United States of America v. Latam Airlines Group S.A., Deferred Prosecution Agreement, 25 July 2016, p. 4.
 Heltman, John. ‘Fed Drops Hammer on Wells Fargo as Four Board Members Ousted’, American Banker, 2 February 2018.
 Board of Governors of the Federal Reserve System, Board Letter re: Accountability as Lead Independent Director of Wells Fargo & Company Board of Directors. Washington, DC: The Federal Reserve, 2 February 2018.
 Hiltzik, Michael, ‘The Wells Fargo Board Is Still Getting a Pass for Failure’, Los Angeles Times, 6 February 2018.
 Summers, Lawrence, ‘Wells Fargo’s Board Members Are Getting off Too Easy’, The Washington Post, 6 February 2018.
 Marchand v. Barnhill, 212 A.3d, 805 (Del. 2019) [Marchand].
 id., at 807.
 Inter-Marketing Group United States v. Gregory L. Armstrong, C.A. No. 2017-0030-TMR
 In Re Clovis Oncology, Inc. Derivative Litigation, C.A. No. 2017-0222-JRS
 Stewart, James B, ‘Problems at Volkswagen Start in the Boardroom’, The New York Times, 24 September 2015; Griswold, Alison, ‘Now That Uber Has a New CEO, Employees Say Its Board Needs to “Grow up”’, Quartz, 2 September 2017; Kitroeff, Natalie; Gelles, David, ‘Boeing Fires C.E.O. Dennis Muilenberg’, The New York Times, 23 December 2019; Gardner, Eriq, ‘CBS Faces Credibility Questions Over Leslie Moonves Investigation’, Hollywood Reporter, 8 August 2018; ‘Airbus Executives Get Swept Away by a Corruption Investigation’, The Economist, 8 February 2018; Tan, Gillian, et al., ‘WeWork Plows Ahead with IPO Plans after Reshaping Board to Counter Skepticism’, Los Angeles Times, 13 September 2019; Carr, Austin, ‘Chipotle Eats Itself’, Fast Company, 16 October 2016; Phillips, Dom, ‘The swashbucking meat tycoons who nearly brought down a government’, The Guardian, 2 July 2019; Cassin, Richard L, ‘Zimmer Biomet Holdings pays $30 million to resolve new FCPA changes’, The FCPA Blog, 12 January 2017; Watson, R T, ‘Vale’s Management Team Is on Thin Ice After Deadly Dam Break’, BNN Bloomberg, 28 January 2019; Neumann, William, ‘Tyson Settles U.S. Charges of Bribery’, The New York Times, 10 February 2011; Schipani, Andres, ‘Petrobras in $853 million settlement of bribery case that rocked Brazil’, The Financial Times, 27 September 2018; Presley, Linda, ‘The largest foreign bribery case in history’, BBC World Service, 21 April 2018; ‘Chile’s SQM paying $30 million to resolve U.S. corruption cases’, Reuters, 13 January 2017; Cassin, Richard L, ‘Former Chile mining executive to settle FCPA offenses’, The FCPA Blog, 25 September 2018.
 Gelles, David; Kitroeff, Natalie, ‘Boeing’ Boeing ousts Top Executive as 737 MAX Crisis Swells’, The New York Times, 22 October 2019.
 Kitroeff, Natalie; Gelles, David, “It’s More Than I Imagined”: Boeing’s New C.E.O. Confronts its Challenges’, The New York Times, 5 March 2020.
 Kitroeff and Gelles (footnote 14, above).
 US Department of Justice, Criminal Division, ‘Evaluation of Corporate Compliance Programs’, April 2019, p. 9 (emphasis added).
 Biskup, Robert, et al., ‘Board Oversight of Corporate Compliance: Is it Time for a Refresh?’, Harvard Law School Forum on Corporate Governance, Harvard Law School, 15 October 2019 (emphasis added).
 Kitroeff and Gelles (footnote 14, above).
 But see: https://www.jdsupra.com/legalnews/the-importance-of-aseparate-board-12193/; https://corpgov.law.harvard.edu/2019/10/15/boardoversight-of-corporate-compliance-is-it-time-for-arefresh/; and https://assets.corporatecompliance.org Portals/1/PDF/Resources/past_handouts/CEI/2014/706_Handout07.pdf.
 Kiemash, Stephen; Doyle, Rani, Report: ‘Eight priorities for boards in 2020’, EY Center for Board Matters, 19 November 2019, p. 9.
 Emphasis added.
 ‘Evaluation of Corporate Compliance Programs’ (footnote 17, above), pp. 2 and 3.
 For example, ‘The Three Lines of Defence in Effective Risk Management and Control’, The Florida Institute of Internal Auditors, 2013.
 NS Energy Staff Writer, NS Energy, “Top Five Iron Producing Company of the World from Rio Tinto to the National Mineral Development Corporation”, 1 Sept 2020.
 Relatório Final da CPI, Câmara dos Deputados, Comissão Parlamentar de Inquérito, “Rompimento da Barragem de Brumadinho, outubro de 2019 (“CPI Report”), p.27.
 id., pp. 27, 38–53.
 Extraordinary Independent Consulting Committee for Investigation – CIAEA, Executive Summary of the Independent Investigative Report – Failure of Dam 1 of the Córrego de Feijão Mine – Brumadinho, MG, 20 Feb 2020 (Vale Report), p.6.
 id., p. 27.
 id., p. 40.
 id., p. 27.
 id., p. 34.
 id., p. 40.
 id., p. 34.
 id., p. 34.
 id., p. 34.
 id., p. 35.
 id., p. 39.
 Hiltzik, Michael, “Boeing’s Board Shouldn’t Escape Blame in 737 MAX Scandal”, Los Angeles Times, 3 Jan 2020.
 Useem, Jerry, ‘The Long-Forgotten Flight That Sent Boeing Off Course’, The Atlantic, 20 Nov 2019.
 Callahan, Patricia, ‘So why does Harry Stonecipher think he can turn around Boeing’, Chicago Tribune, 29 Feb 2004.
 Useem (footnote 40, above).
 ‘The Design, Development & Certification of the Boeing 737 MAX’, Committee on Transportation and Infrastructure, US House of Representatives, 2020 September (‘House Report’), p.37.
 Useem (footnote 40, above).
 Hiltzik (footnote 39, above).
 De Lea, Brittany, “Boeing’s all-star board bears blame for flawed corporate culture: Experts”, Fox Business, 9 Jan 2020.
 House Report (footnote 44, above), p.168.
 id., p.113.
 id., p.21.
 id., pp. 165–6, 174–182.
 Useem (footnote 40, above).
 Boeing Deferred Prosecution Agreement, justice. gov., 7 Jan 2021.
 Edmondson, Amy C., “Boeing and the Importance of Encouraging Employees to Speak Up”, Harvard Business Review, 4 May 2019.
 Sutton, Robert L., “Some Bosses Live in a Fool’s Paradise”, Harvard Business Review, 3 June 2010, quoted in Edmondson (footnote 54, above).
 Edmondson (footnote 56, above).
 Quoted in Somers, Meredith, “What leaders should learn from the 737 MAX emails”, MIT Management, Sloan School, 13 Jan 2020.
 Kanter, Rosabeth Moss, “It’s time for Boeing’s new CEO to restore trust by putting people first”, CNN Business Perspectives, 15 Jan 2020.