Stericycle, the global medical waste giant, has agreed to settle FCPA charges against the company for widespread bribery in Latin America, giving the rest of us another case with lessons about the risks of rapid international growth and poor corporate culture.
The settlement was announced Wednesday. Stericycle will pay $84 million in penalties to the Justice Department, the Securities and Exchange Commission, and regulators in Brazil. The company also agreed to a three-year deferred-prosecution agreement and an independent compliance monitor for two years.
The settlement itself is not a surprise, since Stericycle had already disclosed the pending terms to investors in a quarterly filing in February. Nor, really, are the broad contours of the misconduct. Stericycle launched a rapid expansion into Latin America in the first half of the 2010s, acquiring local waste disposal businesses in high-risk countries and leaving the original owners in place to manage the newly acquired units. All the usual FCPA hijinks ensued.
From 2017 onward, Stericycle’s current management team did a major overhaul and compliance program redesign; the company even published a press release noting its settlement, which you don’t see terribly often. Still, what lessons can we learn from this case, the second significant FCPA enforcement action of 2022? The biggest one seems to be about corporate culture, and failing to push strong oversight from headquarters down through the rest of the enterprise.
Start with the facts presented in the SEC’s settlement order. Stericycle, headquartered in Indiana, began its push into Latin America in 1997. The company scooped up one local business after another in Argentina, Brazil, and Mexico. The prior local business owners continued to run the operations in each country; and each country had an executive team that reported to a now-former Stericycle executive responsible for all of Latin America. That Latin America leader was a Mexican national, who relocated to Miami in 2015 to run Stericycle’s Latin America operations from there.
Then comes this painful paragraph in the SEC order:
As Stericycle grew in Latin America through acquisition, the accounting processes and systems remained mostly decentralized with neither uniformity nor proper oversight, resulting in internal control deficiencies. Additionally, Stericycle had no centralized compliance department and failed to implement its FCPA policies or procedures prior to 2016.
Fragmented oversight and fragmented systems. That’s the recipe for an FCPA trainwreck.
Failures of Corporate Culture
The Stericycle case has all the facts we usually see in FCPA enforcement, such as employees maintaining secret spreadsheets to track bribes and sham third-party vendors generating sham invoices to conceal cash payments to government officials. We even have the requisite funny name used to disguise bribery payments: alfajores, a sugar cookie popular in Argentina. (“Oh come on,” one Argentine friend said when I told her that detail. “They’re good, but they’re not that good.”)
Interesting, but we’ve heard all those tales of secret spreadsheets and funny names for bribes before. The deeper lesson here is more about leadership and corporate culture in a high-growth enterprise.
Start with the Latin America business unit itself. Stericycle cobbled the unit together by acquisition, leaving the same people who’d always led those local businesses still in charge.
That’s not necessarily a bad personnel strategy for a highly acquisitive company; I’ve been on the receiving end of such acquisitions myself. But this strategy does remind us of the perils of “culture inertia” — that is, the risk that the acquired employees don’t see any urgency to embrace the parent company’s corporate culture. They keep doing things the way things have always been done.
When you’re expanding into countries with high corruption risk, that means employees keep paying bribes — and why wouldn’t they? If a corrupt approach to business is all they’ve known, corruption is what they’ll keep doing. (Hence I was reminded of last year’s FCPA enforcement action against WPP; that was another FCPA case where local managers were left to keep running acquired business units.)
Indeed, that’s what struck me most as I read Stericycle’s deferred-prosecution agreement and the SEC order: the sense that corruption was just standard operating procedure for Stericycle’s Latin America operations. For example, not only did employees use spreadsheets to track their bribes; they used those spreadsheets with impressive sophistication. Bribes were calculated using automatic formulas embedded into the spreadsheets, and organized payments by month and region. Employees even forecast the cash necessary for bribes.
Employees do things like that when bribery is endemic and embedded into routine operations. They continue to do that when new parent companies then take no action to send the corporate culture on a new path.
How does a company alter that trajectory for newly acquired units? With lots of executive messaging, lots of anti-bribery policies, and lots of attention paid to anti-bribery controls and procedures as well.
Which brings us to the next lesson here…
Failure of Corporate Controls
The other point that struck me came from that paragraph in the SEC order quoted above. Stericycle went on an acquisition spree and then left the accounting systems and internal controls decentralized.
That’s the other half of the failure equation here. Stericycle’s FCPA problems existed because the company didn’t enforce high ethical conduct among its leaders and because it didn’t have the necessary accounting systems to prevent abuse. The latter empowered the former to do what they did.
Decentralized accounting systems and internal controls thwart visibility into financial operations. When senior executives lack visibility into how the company is spending its funds, that gives local managers and intermediaries the opportunity they need to engage in corrupt acts.
Hence what I said earlier: fragmented oversight and fragmented systems are the recipe for FCPA disaster. Businesses need a single, unified vision of what the corporate culture should be; and then they need to implement systems and internal controls to enforce that single, unified vision across the whole enterprise.
In subsequent posts I’ll dig into more specific lessons we can learn from Stericycle’s missteps. Foremost, however, it’s worth remembering the two fundamental weaknesses that allow a large enterprise to slip into FCPA trouble. All the specific lessons that come after that are just descendants from that root cause.