Most managers would never imagine that widespread employee fraud was going on in their own firms, or that the company’s sales goals were encouraging misconduct. But that’s exactly what happened when roughly roughly two million Wells Fargo “ghost accounts” were opened, and shows how real the possibility is, even in one of the most highly-regulated industries.
Since the news broke, boards and executive committees the world over have been asking, “Could it happen here?” And no wonder – in addition to the damage to the victims, the bank agreed to a $185 million civil settlement with US regulators after firing 5,300 employees over a five year period.
In the past few weeks, US Senators have grilled former CEO John Stumpf, and he’s appeared before the House of Representatives. The Wells Fargo board has started an independent investigation and said Stumpf would forfeit unvested equity valued at $41 million, his salary during the probe, and his 2016 bonus. (He has since resigned.) Lawsuits and a Labor Department review are underway, and the bank is also eliminating its sales quotas.
How this could have happened is relevant to all of big business, not just the one at the center of the scandal. If they haven’t already, senior leadership teams should use this event as an opportunity to schedule a discussion with general managers of major business lines and heads of the relevant functions such as sales, compliance and ethics, risk, data privacy, and internal audit.
Questions to Ask
For a structured and effective conversation about this at your own firm, start with the list of questions below and customize them as appropriate. You can also use this discussion guide for a more in-depth approach.
1. Does your business strategy support both operational and risk management outcomes?: Often, leaders underestimate the extent to which business strategy determines their risk exposure.
Yet unrealistic growth targets or timelines can lead employees to commit misconduct — paying a bribe to a customs official to ensure raw materials arrive on time, or fudging the numbers to hit the team’s aggressive Q4 sales goal.
To understand whether business strategy accounts for potential risk exposure, ask your leadership team these questions:
- Do you believe employees can hit operational targets without violating applicable regulations or company policies?
- Are sales targets achievable using appropriate techniques?
- Are your operational targets in line with those of your industry peers?
- Are you running scenario planning exercises, and do you have a crisis response plan for major potential failures?
2. What kind of behavior do incentives at your organization encourage?: Incentives exist primarily to motivate employees to meet or exceed operational targets and support business growth.
But if incentives account not only for what employees should be doing (e.g., hitting an operational target) but also for how they should be doing it (e.g., in compliance with the organization’s policies, in an ethical manner), they can also play a significant role in encouraging a culture of integrity across the company.
To understand what kind of behavior your incentive structure encourages, ask your leadership team these questions:
- Are employees evaluated on how they achieve their results and meet their objectives or just on what results they achieve?
- For performance reviews, promotions, and compensation, how do you weight achievement compared to how they got there?
- Does the leadership team discuss how changes to the company’s compensation or performance management philosophy might drive unethical behaviors?
3. How prepared are your managers to engage in ethical leadership and escalate information appropriately?: CEB research shows time and again the importance of an employee’s direct manager to the overall culture of an organization, as well as to the success of risk management practices.
Not only are the perceptions of direct manager’s leadership a major cause of an employee’s perception of culture, but managers are the most common recipient of employees’ reports of misconduct. In fact, 63% of employees who observe misconduct choose to report it to their direct manager — far more than to the company helpline.
To understand how well your managers are prepared to play this critical role, ask your leadership team these questions:
- Have you trained managers to reinforce the right values and culture with their staff?
- Do you provide tools and support for managers to engage in these conversations (e.g., scenarios, handbooks)?
- Do your managers know what kinds of ethics issues need to be escalated?
- Are your managers trying to handle too many issues themselves without escalating them appropriately?
4. Are we using all possible information sources to understand risk at our organization?: Though today’s company has a wealth of data at its fingertips, most managers don’t take full advantage of what this data has to offer.
Many are used to looking at audit findings or helpline data to understand risk; fewer use employee or customer perceptions to augment this picture. This information provides a unique perspective on facts on the ground, and can provide valuable insight into where and how risk is being created at the organization.
To understand whether senior leaders have a full picture of potential risk exposures, ask them these questions:
- Do we run a regular employee-wide survey on corporate culture that looks beyond engagement measures to include questions on observations of misconduct and the level of ethical pressure?
- Are employees at our organization comfortable raising concerns, and do they know how to do so?
- How are cultural and reputational risks taken into account in our annual enterprise risk assessment?
- Do we run an effective legal and compliance risk assessment separate from the enterprise risk management process?
- Do we mine customer complaints (e.g., with regulatory bodies, on social media) and compliance hotline data for valuable risk information?
- Do we review trends in this data on a regular basis?
5. How effective are the controls we put in place to manage our risks, especially those in our highest-risk areas?: Companies often invest heavily in building a control infrastructure designed to avoid employee misconduct and mitigate any risk to the organization.
These controls need to respond to an environment, where new risks emerge frequently and changes in employee workflows and technology create new vulnerabilities where there previously were none.
To understand how effective the your control system is, ask your leadership team these questions:
- Do we segment high-risk employee groups and target them for more robust support (e.g., tailored compliance and ethics training, more frequent risk assessment or auditing)?
- Do we regularly test and audit the controls we have in place to catch employee mistakes or prevent bad actors from committing misconduct?
- How do we test the efficacy of our reporting process and anti-retaliation policies and controls?
- Is Internal Audit’s audit schedule aligned to the organization’s business strategy (e.g., focused on areas of high growth, aggressive targets)?