CCOs, Still Suffering Retaliation
I had another one of those unfortunate conversations the other day: talking with a compliance officer who had tried to do the right thing at their organization, and suffered retaliation for it. With that person‘s permission, I wanted to relay a few thoughts about how compliance officers can anticipate these ordeals.
First, why was I talking with this compliance officer at all? It began because I posted on LinkedIn that I’ll be moderating a webinar on Jan. 22 about retaliation that compliance officers themselves might suffer while on the job, and was anyone game to serve as a panelist?
I know that’s a delicate request, because compliance officers might be worried about future career prospects or even litigation if you’ve been forced to sign a non-disclosure agreement. Still, I was startled by just how many people wanted to talk about retaliation they’ve suffered. Some did indeed volunteer to speak on the webinar; others just wanted to tell me their story privately. My friend above is one of the latter.
This person is a compliance officer in a highly regulated field. They became aware of a privacy breach at their business: an employee did something dumb, and inadvertently exposed personal customer data to parties that shouldn’t have seen it. The compliance officer told senior management the issue was serious enough that the company should inform regulators, but not so severe that the company would face significant penalties. Just confess the error, take corrective actions, and move on.
According to my compliance officer friend, that’s not what happened. Senior management defended the employee who made the privacy error, and told the compliance officer to stop pressing management to take corrective action. Soon enough, the compliance officer saw their role eliminated as part of a “reorganization” — which happened to be a reorg of exactly one person. You can guess who.
What can compliance officers do to anticipate, and ideally even avoid, retaliation like this? I have a few thoughts.
Coach Management Ahead of Time
First is the question of how well management understands the compliance risks and infractions your business is likely to encounter. The more you can coach management on those points in advance of any particular infraction that might happen, the better you can steer them forward when some particular infraction does happen.
In the example above, management seemed to believe that the privacy violation that happened wasn’t a big deal and didn’t need to be reported. That’s not the same as a company with a severe compliance violation, where management immediately thinks, “Oh crap, we’re going to jail if this gets out. Shut it all down.”
For better or worse, compliance officers always run the risk of a malevolent management team, who know full well that by covering up an incident they’re breaking the law, and only see you as a threat to that plan. Incidents like that do happen, and they’re extremely difficult for compliance officers.
But we should acknowledge there’s another class of bull-headed management out there, who are more disengaged about addressing misconduct than they’re willfully determined to cover it up. For example, you might have a management team who says, “Do we really need to report this? Why not fire the employee and just be sure this never happens again?” Management teams adopt that posture all the time.
If firing and fixing is the wrong step — a step insufficient for the offense in question — then you the compliance officer might suddenly find yourself on dangerous ground. Management might start asking, “Why are you insisting on this, anyway?” and then turn against you.
With enough advance work, you might be able to avoid that scenario. If you have a management team that at least cares about compliance and good conduct in theory (not a given), and you can explain the various types of compliance infractions your business might encounter and what a wise response would be (also not a given), then that management team might be more open to following your advice when a specific allegation comes.
Of course, there are 100 ways my theory above might fall apart in the actual real-world situation you confront. But it’s a start.
Parallel Communication Risk
Another compliance officer told me about a related frustration. He was trying to investigate an employee who’d broken policy and recommend disciplinary action. One issue that drove him crazy: employees and management alike maintained private group texts where they talked about the issue.
Yes, that’s stupid for several reasons. Those chats could be subject to discovery in a lawsuit, so they increase your litigation risk. They could find their way into the public domain, embarrassing the company. Private chats about employee behavior are a bad idea, full stop.
More practically for the compliance officer: multiple, parallel discussions about employee conduct could lead to you losing influence in all sorts of ways.
Management might start talking about potential disciplinary action without you. Employees might start debating corporate policies and ethical standards without you. Quite simply, a host of conversations about the company’s culture of ethics and compliance might take place — all of them without your involvement, or perhaps even your knowledge.
A good corporate culture depends on everyone agreeing to the same basic ethical priorities and expectations for conduct. If people want to debate exactly what those priorities and expectations are, or how those things are applied in certain misconduct cases, that’s fine; but those conversations should happen in settings that are as open and transparent as possible.
Unfortunately, modern communications technology blasts that objective to pieces. You don’t have any easy way to prevent private chats about workplace issues, and I don’t know that we ever will in the future. But parallel communications give rise to different groups within the enterprise talking past each other, and flying right by you and your efforts to keep the company on a good, ethical, compliance-aware path.
Then you might wind up in the same predicament as my first friend above, where management just didn’t support the compliance officer’s assessment of the situation. Somehow management had talked itself into that belief, and from there it was a short jump to “Why do you keep pushing us on this, anyway?”
Speaking of anyway: we still have that webinar on retaliation for compliance officers, happening on Jan. 22. I hope you can register and participate. Even if you can’t, you can always email me at [email protected] or find me on LinkedIn. I’m always here to hear your stories.