Simplify for Success - Conversation with Patrick Henz
He shared that it is important to build personal relationships with business units and simplify compliance to improve adoption. He highlighted how the penalties and reputational impacts of non-compliance are much higher than the investments needed to build a world-class compliance program.
Listen to the full podcast below:
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*
Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity of thought. This is not often easy in today's rapid paced work environment. We have invited a few colleagues in the data and information governance space to share their strategies and approaches for simplification. Today we will be talking with Patrick Henz.
Patrick started his career in corporate information office and compliance at the end of 2007 when he was responsible for the implementation of Siemens Anti-Corruption program in Mexico and several Central American and Caribbean countries. Together with these tasks he gained valuable insights into compliance programs with a focus on Latin America.
Since 2009 in his role as Chief Compliance Officer, he has been responsible for an effective compliance system based on identification, protection, detection, response and recovery, and combined with integrity, respect, passion and sustainability. He defines governance, risk and compliance as a proactive function, being perceived as a guardian expert and a facilitator. The focus is on information to ensure adequate behavior not only of human employees but artificial intelligence as well.
Furthermore, he is a member of the IEEE Digital Reality Initiative and author of several books. Welcome to the show Patrick.
Hello, thank you Priya. Pleasure to be here.
So, Patrick, you've had many years of experience leading compliance for many organizations. In your experience, how do you build a business case for compliance?
Oh thanks, yeah, so let's go back a little bit. I originally started in compliance at the end of 2007. I worked in Mexico City and at Siemens at that time. As you may remember at that time Siemens had global investigations, they had the big corruption scandal and there still have been an investigation and negotiation of this, especially with the US Department of Justice. As it was still unclear how much the fee would be they would have to pay later, and so one thing important also is to reduce the legal fees as much as possible, you have to show that you have an efficient compliance system implemented or are in the process to really adequately attack the problem with implementing compliance department.
So, and this was the situation as we started this compliance at Siemens. At that time, the company already had compliance systems in place, but as you may imagine, they might not have been adequate. So really, the company made a big and bold decision and they made it clear right from the beginning that compliance is the new way of working at this, it is not only to please the official investigators, the press or whatever.
The business case for compliance, I mean you can see the numbers Siemens paid like 800 million U.S. dollars alone for the US Department of Justice on fines. Uh, plus they paid fines in other countries. Of course, they had to pay the external consulting companies supporting them, implementing the compliance system so they really had high costs and after this implementation then there were bigger corruption cases with the company.
So, the question is with compliance is how much does compliance cost and but also how much you would have to pay for non-compliance and that's of course always the tricky part because if you are leading an efficient compliance program you can tell your CEO well, we didn't have any compliance cases, due to this we didn't have to pay any compliance of related fines,
But you have to somehow prove that this is based on your compliance department but not based on pure luck or based on the fact that you do not have a high risk or that the employees would also have acted adequately without a costly Compliance Department.
So, I mean, this is the topic which compliance officers are discussing, since they exist because we always have pressure, especially in times of economic downturns like right at the moment, to justify the costs which you consequently have with compliance. This is not only related to, let's say, to the salary of the compliance officer, but also includes, for example, the costs for tools, the costs for external whistleblower hotlines and time because the process is, for example, to approve an external sales consultant, sales agent, whatever, there's a process, and there you need different levels of approvals, and so this needs more time than before. And as you know in business. Time is also money.
So really a very good question. What you try to look for is not only to show that you that you yourself as a company didn't have any corruption cases, but you should be involved in the risk assessment. Know how risky your business environment is. Of course, you also may see what kind of cases your competitors had, who maybe didn't have a compliance department on the same level as you.
So, the question is that you have an adequate compliance system which is really based on the risks which you have identified together with the business and based on the risk you don't have a compliance system which has a bureaucratic burden, which is not needed. So, we really have it as slim as possible and also as strong as required.
So, you brought up some really good points. And this is not just with compliance programs in general, it's in any kind of risk management phase, right?
So, I think I was referencing this with another on another podcast around cyber security where we were talking about, I think target, the CISO of target after the breach or maybe it was Equifax came up and said, you know it was much easier and it's always easy after a breach. Or after a big incident or after a large amount of fine to justify the program because compared to the $800 million fine that you were talking about. You know any kind of compliance costs looks very minimal.
But when you have had years of very little, let's say issues, you also have to justify the business case around why you are not having issues. Because it's like proving the negative is because of you, right?
Also, some of these programs take time because you're talking about cultural change, cultural change around, understanding risk, understanding some of these things within people. So how do you set timelines and how do you set expectations for success when you build these business cases?
I think it's important that as a compliance officer or ever, however, this function may be called because many companies do not have a compliance officer, which, but it's a shared function as especially for smaller companies and companies with a lower risk level.
So, if you are responsible for compliance, it is important that you are near to the business, that you understand the business and the business's needs. And with understanding the business, I think you can act as the trusted advisor. Because, as I said, you want to change the corporate culture and before people trust you, in many cases they must get to know you on a personal level. For this, compliance is not a function which you can do behind closed doors.
You really you should go out, uh, you also should for example visit the factories project locations, even if there's maybe no direct compliance risk, but just to learn how the company is really earning its money.
Uh, so important is the trust of your colleagues. So, these one-on-one meetings but also and if you know the company can realistically discuss with management how long a change of corporate culture may take or may not take.
Again, back to my experience from Siemens, the ability to change also depends on the level of pressure. At that time Siemens had to change quite fast. So practically the corporate culture changed in less than one year, at least for most of the employees.
But also, I would like to add if you see the companies which had been involved in bigger corruption scandals at the end the number, let's say of employees, one adequately acting working, it's been relatively low even if the company is known for having a higher corruption risk. Most of the employees really come to your company doing their best and working based on their personal values. And they're really honest people, so it was not that difficult to change the culture.
Most of the people, from my experience, really like the change of becoming a more transparent companies. And if you are let's say corrupt outside, then most probably you are also inside the company not working based on the established regulations which can include that as an employee, really you do not grow based on your actions, on your knowledge, but maybe on your friendships which you have on the higher level.
From my experience, such a change towards being a more ethical company always is very welcomed by the employees. And again, this being near to the business, you are a trusted advisor for also for higher management, and you can discuss realistically how long it will take for you to change.
Makes sense. You know we were talking about simplification for success, and you were talking about one of the biggest things to kind of think about is how simple your compliance programs are. Because it's very easy or it's much more difficult to take a complex program and expect people to sort of follow it.
So, what are your thoughts around simplifying? So, we believe there are essentially two ways to simplify. One is breaking down parts to reduce the complexity. The other is to identify and come up with a totally innovative way to execute a task. Would you choose one over the other? I mean first of all, is it even a choice? and any thoughts that you may have interest in?
I mean, you practically indicated in in your question. I don't think it's a choice. You always have to work on both sides. Of course, you should split up, break out the different parts and separately see where you can reduce the complexity.
But on the other hand, you also should ask yourself is this whole process really needed? And again, if it's really needed based on the risk that you have. Both are interlinked and as Davinci said. Simplification is the ultimate sophistication.
So, I really try to ask myself is it really needed to be so complex yes, or no? So, to answer the question. Both are important. Maybe I give a little bit more focus on the 2nd to see how we can do various things in a different way and always keep in mind that complexity is not only time but also money.
But also offering slim processes reduces if I think, for example, on Donald crisis fraud triangle reduces the temptation of my employees to violate the processes because they perceive them as too bureaucratic and so offering slim processes, fast processes. I think it's also a sign of respect, which I, as a compliance officer, show, uh, the rest of the employees. So having slim and efficient processes is a sign of respect from the company towards the employee.
Makes sense. Can you share some examples on how you have simplified and how it's helped in making your program more successful?
One important point which companies like to foster is to empower employees to have responsibility but also wants them to take on the accountability for their action and for example, you see in various companies, especially bigger transnational ones, approval processes were up to let's say 7 employees signing for an offer or any kind of other relevant action so.
Uh, you may ask yourself, is it really necessary that seven or more people are signing for this action, especially with in mind that, at least on higher levels, the people are signing off have no clue what your requests really need because they're not involved in it locally.
And due to this we see that for example, especially the higher levels they are signing because the lower-level person has signed. But they only signed because the other person had signed and not really reading what the original request was.
So, they have something in psychology, the bystander effect. Everybody is signing because the other one has. And maybe only the first approver or the 1st and the 2nd approver really read what it's all about. And so, if we have this situation, if most of the people only sign because the other one was signed.
Then of course you should ask yourself, do I really need all of these approvals. And reduce approval levels, this also aligns with having people really empowered with their own actions, so I think this is one example where you can reduce bureaucracy in the approval levels.
Great points. You brought up something very important, right? So, you mentioned you have to get closer to business and spend time and sometimes even meet them, so they get to know them on a personal level. So how does cross collaboration play a role in supporting your projects or initiatives?
A relevant factor, I mean you read it practically in all management publications. Uh, especially right at the moment coming out of the COVID crisis. Hopefully we see that a lot of companies used the last year to reduce the workforce and to be honest, compliance was also not immune. You see that the compliance department has been reduced.
As I said in the beginning, a lot of compliance officers wear different hats. For example, besides compliance, I'm also responsible for other topics such as governance risks and business continuity management. We see that this applies for most of the employees. Due to international cooperation project-oriented infrastructure, a lot of us wear different hats, so we have to cooperate with each other.
And as you know, we also have digital transformation. Uh, meaning again, the human workforce is getting reduced, and we are working together with intelligent algorithms. Which takes on a workload, which means we are free to do more stuff. And again, we are free to wear different hats having different responsibilities.
So, at the end we have much more interaction, we have to overcome a silo mentality as we have different responsibilities. We work together with different colleagues and up to that we have dynamic groups which form really based on the needs of the projects.
So, we have more of these interactions than compared to 10 years ago. You know the classic setup is that compliance is a little bit separated, reporting directly to general counsel or CEO, but inability to these factors which I described. We also have different heads and duties are much more integrated into the companies. Compliance officer also we have to be a team player.
So how do you leverage technology to solve some of these problems as you set up your programs? How has technology helped you?
Well, for example I'm a big fan of the ideas and concept of the statistic and management consultant W Edwards, Deming. He has a lot of famous quotes. One of these is 94% of most problems and possibilities to improvement belong to the system and also the individual employee.
So even if compliance wants to avoid human problems because they're speaking of this behavior, I have to be aware about the processes and including the tools which I'm using inside the company. Because only if they are as slim and efficient as possible, do the employees see them as a support and use them.
And this includes also the typical compliance tools. As for on the one hand asking for preapprovals and the whistleblower hotline, which I think is the most important compliance tool that I have because I have to be honest even with the best compliance system with the best, most positive corporate culture I always have to risk that I have this one. A bad employee, who for whatever reason violates internal guidelines violates some laws and this is not maybe because it's a bad person, but because of the personal situation, personal pressures. So, it's not always a question of ethics. If I would violate a guideline, yes, uh or no.
So, for this it's important to have an efficient guideline that is trusted by the employees, that it's really 100% anonymous but also trusted that there are no negative consequences for reporting and also, they have to trust that reporting something will lead to a change.
Because using a guideline always is a personal cost for the employee, especially if they are working in a smaller location, smaller organization. Even if the tool is 100% anonymous, people may start thinking who the person was, who was the whistleblower and maybe make a conclusion that it was exactly this person who did it.
So, for this it's always a risk, even if it's 100% anonymous and for this it is important that they assume if they report something that the compliance officer to get service management, start the adequate corrective measures which could get personal consequences against some employees, but also a change of internal processes as many times.
People reported something where you may understand that they got the perception that something got wrong, but in fact, it wasn't directly that something was going wrong. It was more that transparency was lacking and so employees got the impression that something was.
So, what are some of the biggest challenges you typically face? And any tips that you can provide on how you overcome some of these challenges.
The biggest challenge is getting people to listen to you. Let's say a compliance officer, similar to the person responsible for cyber-Security, HR or whatever. I mean, we don't have external customers, but let's say our customers are the employees because they have to buy into the ideas that we are telling them.
And the biggest problem is I would say is that especially as a lot of companies are working on a reduced workload, everybody is extremely busy. Uh today, they are listening to my compliance message tomorrow they are listening to this, uh, security message. They're listening then to the HR message, then getting the messages from the different business leaders, so the biggest problem is that yeah that that your message really comes to the employees
And here especially I would say the middle management because on the one hand they have to be the leader and then on the other hand they have really to execute all the different tasks which they get from the upper management. With the upper management, it is mostly a little bit easier because they have to give the tone from the top, but they are less involved in the daily tasks.
And especially in daily tasks you get the temptation to violate laws and regulations so again I try to be near to the to the business near to the employee so that they perceive me as somebody who solves problems and not somebody who brings them additional problems as following additional processes
And as a part of showing respect, I only give them additional processes tools where I know that it's necessary based on the risk level and also, I really have an eye on my own processes to ensure that they are as slim as possible to not give a burden which is not possible, and I think if you treat the people with respect, you get the respect also back and when you have this respect, people are also listening to you.
Makes a lot of sense. Thank you. Some really, really great points and thoughts here, so thank you Patrick for your time. I appreciate you taking the time.
Thanks for the invitation. It was a pleasure to be at your podcast.