In another Conduent blog post this week, we took a look at Uber’s recent cybersecurity incident involving a failure at the highest levels of the Company to act ethically in compliance with the law in failing to report a data security breach. The breach took place in October 2016 and what took place thereafter was a deliberate cover-up at various levels of management to disclose the breach to regulators in accordance with the law, potentially implicating Uber’s CEO, who knew of the breach two months prior to its actual disclosure in November 2017.
In that blog post, we point out that an effective compliance monitoring solution could have brought not only the breach incident to Uber’s compliance department but, perhaps more importantly in this case, the failure of Uber’s compliance department to take subsequent ethical actions to light.
In a recent, article in MIT Sloan Management Review titled, “The Trouble With Corporate Compliance Programs”, Todd Haugh, assistant professor of business law and ethics at Indiana University Kelley School of Business, posits that true prevention of unethical decisions lies in understanding how “rationalization” factors in to a conflicted employee’s decision-making process . Professor Haugh identifies eight different types of rationalizations that prospective bad actors may engage in: (1) denying responsibility, (2) denying injury, (3) denying the victim, (4) condemning the condemners, (5) appealing to higher loyalties, (6) using a ledger metaphor (using their positive actions as an excuse for bad behavior), (7) claiming entitlement, and (8) claiming relative acceptability or normality.
In the Uber example, one could identify at least a few different rationalizations that could have been drawn on by the bad actors covering up the breach – for example, appealing to higher loyalties (e.g., “it is in the best interests of the company”), or denying the injury or victim (e.g., “the sensitive data was ultimately destroyed and not released and so there is no harm to anyone”).
A behavioral ethics approach to understanding employee behavior – and in particular, identifying and remediating “pockets of bad culture” in the organization that can lend to these types of rationalizations is a key component of creating a “culture of compliance” within an organization.
The recent experiences of Wells Fargo are also illustrative, where, as Prof. Haugh observes “on the heels of the bank’s $185 million settlement agreement with the CFPB regarding the creation of fake accounts … the bank’s aggressive sales culture drowned out any explicit compliance measures” suggesting that “employees, under pressure to meet unrealistic goals, rationalized their conduct by denying responsibility and claiming relative normality”.
To combat rationalizations, Prof. Haugh points to the use of Big Data-based approaches to monitor for scenarios where employees are asked to engage in behavior that creates a compliance risk and there is a competing culture that allows for potential rationalization. In our view, the key to such systems should not only identify the obvious, discrete behavioral shortcomings, such as where an employee fails to report a compliance incident a la Uber but also the less discrete and generalized pockets of bad culture within the organization – such as the aggressive sales climate at Wells Fargo – that may support an employee rationalization to depart from a company’s culture of ethical behavior. It is important for the organization to understand not only when a violation has occurred but to also the countervailing pockets of bad culture that can lead to those violations through employee rationalization.
Technology solution should be tailored to fit organization needs, to diagnose and address ethical and compliance risks and to ensure your business can manage these risks in a comprehensive, cost-effective manner.
Sanjay Manocha, Vice President, Compliance,
Conduent Legal & Compliance Services