B (3:23)

So who did you talk to. And what did you find out?

C (3:27)

So I spoke to, for the book, nearly 50 people who engaged in white collar crime. From people whose cases are front page headlines, people from Enron, WorldCom, Bernie Madoff, to other people's cases, from well respected firms like McKinsey, KPMG, whose maybe cases are not quite as well known, but were really extraordinary leaders. Extraordinary people running the firm that made a series of mistakes that had these remarkable consequences.

B (3:57)

Yeah, Those first ones are known because they brought down companies. Right. And the later ones hurt reputation, they hurt with fines, but maybe lesser known because they didn't lead to calamitous collapse of a company.

C (4:12)

Right. I mean, in many ways the question that fascinates me, haunts me in some ways is how pretty remarkable people who are otherwise smart, thoughtful, intelligent, great dads end up engaging in this behavior after a decade or two decades of successfully running a firm. Being a leader within an organization we're talking about. Otherwise, I would say normal leaders, type A personalities that want to be successful. They want to be so successful, in fact. And that's not just because they want to make money, but they want to see their firms and their colleagues succeed. They end up engaging in these harmful acts.

B (4:49)

That kind of defeats the notion of bad apples. Right. That they're bad people from the start, bad people through and through, and that companies can't do anything about it. Maybe this is too simplistic, but is it more the tree than the apple?

C (5:05)

Psychologists for decades have really studied the difference between the individual and their surrounding circumstances. The circumstances are incredibly, incredibly important. When we start thinking about the pressure, I focus a lot on the distance of the consequences to the manager, him or herself. So if we think about the. The consequences for most white collar misconduct, it's psychologically and physically distant from the manager. So at the time he's engaging in some type of corporate malfeasance, it doesn't actually feel so harmful. It's only quarters or years down the road that it might become evident. And that makes it much easier to proceed with these consequential actions without necessarily appreciating those ramifications at the time.

B (5:51)

Yeah. And it's also not just those actions down the road, but if you have a culture that allows that kind of stuff to happen, it can be collective damage from a group of individuals or many individuals.

C (6:02)

Exactly. And also things are changing over time. So in the US let's think of some big things that are often prosecuted. Foreign Corrupt Practices act, bribery. But bribery in Germany was not only legal, but actually tax deductible up until 1999. So, I mean, this is a new, in some sense, rule or institution that's been created or another case that's particularly pertinent right now in the United States. If you do business with Iran as an American firm, there are some very, very serious consequences, both for individuals and the organization. But in other parts of the world, both in Europe and in Asia, Iran's a perfectly fine country to do business with. And if anything, it's trying to find loopholes to continue doing business with them under the current sanctions. And so part of these things represent changes in the regulatory environment. Some of this might even be political. And that's what makes it really challenging for business leaders.

B (6:55)

Yeah, that was one thing I found really interesting in your recent research and some of the studies that are going on in the field is this understanding that even in one company you can have a lot of variation in application of ethics or how ethical people are, depending on your geography and your the function you're in.

C (7:16)

I think every leader likes to think of their firm as having one homogenous culture. Certainly there's good reasons to try to be aiming toward that. But when you start running an organization that is in not just dozens of states, but dozens of countries, and you have 100,000, 10,000, 100,000 plus employees, you're going to have heterogeneity. EY has actually done some interesting work where they've actually interviewed managers about different kinds of aggressive conduct. For example, paying to win a contract. And if you look at some of their work, you'll see certain countries where 20 or 30% of managers will say, yeah, paying cash to win a contract. If this helps my company avoid a big miss, of course I would do it in other countries, Switzerland, the United States. Most managers at least will say no out loud. Some will of course do that, but very few would actually say, I would actually do that because we know the consequences.

B (8:08)

Is there an example you're thinking of from one of those prison visits where you see the geography or the function like a sales unit being so different from the culture of a different part of the company that it kind of flew under the radar?

C (8:22)

Well, I think if we take one of the prominent examples related to actually Enron, Arthur Andersen, one of the major professional services and accounting firms, they. There was clearly some, I think, challenges with how their branch in Texas worked with Enron, but that didn't characterize, I don't think, the whole firm or all its employees. And it's actually one of the reasons why it was So I think heavily criticized when the government actually prosecuted the firm or actually even just started with an indictment that ended up leading to the breakup. The breakup of the firm. It didn't characterize it. And I think the hard part is anytime a firm is criminally prosecuted, which is now happening with increasing frequency, it's not saying that the 10 or 50,000 employees are criminals. It's saying that that entity is actually what engaged in a criminal enterprise. And I think that's challenging because that actually creates a lot of costs, both on the employees themselves, but also the shareholders. There's a lot of externalities associated with these resolutions.

B (9:24)

And so if you're running these companies and you have offices in lots of different cities, in lots of different parts of the globe, and you're in a lot of different jurisdictions, you kind of need to be on top of it.

C (9:37)

Absolutely. And also the world's becoming even more complicated because the regulation in one country is increasingly affecting businesses in others. GDPR and privacy, for example, in Europe is a really good example where people in Europe have become very, very sensitive to the privacy. But how we in the US and, for example, say, China, which have radically different views about how we would use client data, images of employees, I think have not only different kind of moral views on this, but also just different views about how we'd handle that data. And so it's very easy for a firm that maybe has a branch in the US In Europe and in China, and you just normally are sharing client data or user data. And historically that was perfectly fine, could actually lead to reputational consequences in the US And a huge fine in Europe. And it's hard for people to maybe stay on top of all these different changes, because they really are changing quite rapidly in this kind of space. As we, I think, all know, over the last couple years. There are areas like harassment, discrimination, which may not actually tend to get to the criminal realm for most firms, but. But I think the reputational damage is as, or even greater than many of the civil and criminal sanctions available to regulators.

B (10:51)

Wow. When you have such a disparate firm like that and you have a lot of variation in how employees meet standards, you're trying to reach a single standard.

C (11:02)

Ideally, that's the goal, at least. That's hard. So many firms and leaders want to think that what they say at the annual retreat or what's in the code of ethics or code of conduct is what every employee is doing. But everyone comes from different backgrounds, that is, from different firms which have different levels of what's considered okay, around here. And the question is, how do you understand what those differences in the culture are and how could they contribute to or potentially detract from integrity related issues that expose the firm to reputational and regulatory risk?

B (11:38)

So all of these companies have compliance departments, they have legal departments, they have systems in place, processes in place to root it out and minimize their exposure. Is that not working or why isn't that enough?

C (11:52)

The problem is measurement. You can't manage a process if you don't measure it. What my work has shown is that organizations need to spend time and resources figuring out what are they getting in return for the investment. Whether it's a training exercise, whether it's investigations process, which is, or a senior management spending time with people in the field conveying what the firm is supposed to be doing. What's that time actually generating?

A (12:20)

No more waiting. With NetSuite by Oracle, you can put AI to work. Today, NetSuite is the number one AI Cloud ERP, trusted by over 43,000 businesses, is a unified suite that brings your financials, inventory, commerce, HR and CRM into a single source of truth. Right now, get our free business guide demystifying AI at netsuite.com IdeaCast the guide is free to you at netsuite.com Ideacast netsuite.com IdeaCast.

C (12:55)

Foreign.

A (13:00)

Let's be honest, most HR platforms aren't exactly a joy to use. Deal's different. It's AI native, keeps you compliant and grows with your team whether you're 5 people or 50,000 hr. IT and payroll on one platform that just works. See for yourself at deal.com that'S-E-E-L.com HBR.

B (13:33)

You've identified a very simple survey that companies can implement to basically find out and get a sense of what might be going on and where problem areas are. And I like it because it's just very, very simple. It essentially asks three questions of managers or people around the company. Number one, have you seen anything that's questionable? Essentially, did you report it? And if you didn't report it, why not? What do you learn by asking those questions?

C (14:06)

It's a hotspot identifier would be the simplest way to put it. Some firms, they'll have an investigation, they'll have a whistleblowing hotline, but they don't see a lot of movement there. They might have a call here, a call there. The question is, what's below that iceberg that they're not seeing? And what you're trying to do with this survey is say where Are there areas where there might be emerging issues occurring and we just don't know about it? This is not saying that the firm is not a great firm or there's even concerns necessarily about retaliation, but it's the fact that I've actually found in some of these results that people don't want to see their colleagues get fired. And so they're not speaking up. Not because they can't identify it, and not because they're not really willing to, because they're concerned about, but because they're concerned about the outcome. And so this is a way of trying to get ahead of those issues before they ideally hit or unideally hit the headlines.

B (14:58)

The statistics in here were pretty interesting. Workers are more likely to report a theft of company property or accounting irregularities. The number goes down for people reporting things like inappropriate gift giving or conflicts of interest. But even, you know, theft, like less than half the people would report something like that. So in a way, this data is showing you that, you know, it's normal that not everybody's going to report everything. But if it's higher than some standards, I mean, you get a sense from these numbers then, like where problems are or where people are under over reporting something.

C (15:36)

Exactly. And what you want to do is run this across, not to every employee necessarily, but a random group in different areas, different geographic, different divisions to see where are these numbers higher or lower. Because a lot of firms right now approach their integrity ethics compliance programs as kind of a one size fit all. We give everyone in the organization same kinds of training, the same kind of leadership by example. But really in practice, there are going to be certain areas that are hotspots, and wouldn't it be nice to identify those and then place more resources there? So what we do in every other operation of the firm, every other part of the firm, but oddly enough, we haven't started really doing this in the integrity and compliance space.

B (16:15)

Yeah, that's interesting. If one of your stores has low sales compared to everybody else, you go there and figure out what's going on. Or if one is very successful, you go there and figure out what's going on. And it's the same thing with ethics, essentially.

C (16:29)

It should be, and I will say right now, the only time really we see that occurring is, is after there's an issue. So after there's a bribery incident in Country X, you see a whole pile more training, a whole pile more new managers, different incentives put into place. But wouldn't you like to do that before you pay the huge regulatory fine? You're on the front page of the news. And a simple survey like this is trying to help managers get there without having to really invest a whole lot to help identify these issues.

B (16:58)

Right.

C (16:58)

And this goes back to not trying to identify bad people, bad managers. We're going to understand where there are maybe hotspots because of simply the pressures of the business line are different. And something we can help figure out how to get ahead of that to help the managers employees help themselves stay out of the headlines.

B (17:17)

So if you know about or have worked with companies that have used this survey, can you give some examples of things that they found or ways that they took action because they identified something they wouldn't otherwise have been able to discover?

C (17:32)

Generally what I've seen firms doing is saying let's actually customize the kind of training and also kinds of monitoring surveillance that we're going to apply. So, for example, in person training is by and large always going to be more effective than the generic online training. And so most firms can't spend the money to do in person training to everyone across the world. So what do you do? You basically only do in person training to your most senior people. You do online training for everyone else. Maybe you actually should invest in that in person training, not just for the senior leadership, but actually throughout the organization, but in very specific parts of the organization. Some subdivision within some geographic area, we can help identify that. Also, sometimes a lot of these things like training and codes, preventive things unfortunately are not enough. There are areas where sometimes you need to invest more in thinking in terms of the monitoring for that type of group. So looking at the expense reports, doing additional due diligence, again, that's very costly. And as most people say about compliance, that can be a burden on employees. So you don't want to roll that out against everyone. But maybe for a subgroup of an area that you see as a hotspot, a high risk area, it's worth doing that. Because whatever, maybe small additional costs that I'll impose upon that small area will be much less than having the entire firm have some regulatory issue. Because regulatory issues, fines, criminal sanctions aren't against some subunit. The DOJ doesn't say this subdivision within this country is what engaged in fraud. The headline in the Wall Street Journal will be Company X engaged in fraud. And that's what's so devastating.

B (19:14)

Yeah. Does that mean that investors maybe have the wrong impression of companies? When something like this happens, how often is it just a part of the company versus bad leadership, bad stuff happening from the top.

C (19:30)

So in A recent project, I actually wanted to say, what's the difference between the public perceptions of how often fraud occurs and what's reality? So I, I first took all publicly traded firms looked how often do they face one of these regulatory sanctions from the Department of Justice or sec? And what you find, it's less than on the civil side, less than 5% a year. So it's pretty infrequent jump inside the company. So I took data from three Fortune 100 companies, so notably large companies, and looked at when they internally found a substantiate violation of fraud, bribery, something that at least if a prosecutor was sitting there, could at least theoretically charge the company with criminal conduct. How often did those occur? Actually found it occurred once every three days on average. And so while the public, I think, has this perception that there's kind of good and bad companies, some that engage in fraud and some that don't, in reality, every company of any size has some anonymous conduct. And what management's job is is to make sure that in a large company that misconduct is occurring maybe once every three days and not three times per day. And that the size of the fraud is not tens of thousands, hundreds, thousands, millions of dollars, but ends up being small, immaterial amounts that they can manage internally.

B (20:52)

Yeah, these aren't big fires, but you're trying to put out, find the coals and the embers and put them out wherever they pop up.

C (21:00)

And the idea is, how can you make sure they're still only embers? I mean, the survey is trying to say one way to get ahead of that. Unfortunately, I think a lot of the world still operates on the ignorance is bliss approach. And this is in part from kind of the legal community, that you don't want to turn something that is embers into a fire yourself by talking about it. Exactly. And so sometimes you think, well, we address this by dealing with it internally and not making a big fuss over it that gets out publicly. The analogy I often like to make is corporate malfeasance is a lot like a bug getting a sore throat, which you can try to ignore, but what will happen is it'll generally grow and get worse unless you seek treatment. And that's a little like malfeasance. If you play the ignorance is bliss approach, there's a chance it might go away on its own accord. You don't need to go to the doctor, but that's rare. And oftentimes you need to seek the right treatment. And that's what the survey is trying to do, is trying to Figure out what kind of treatment do you need, what aisle do you need to go down to figure out how to get rid of that bug as quickly as possible.

B (22:04)

What do you do? I mean, in person training is one thing, right? But if something's going on that you have to stop, and maybe you just didn't know about it and didn't discover it before as a company leader, and now you know, how do you deal with it? Do you punish it? Do you eradicate it? Do you fire people? Do you retrain them and give them amnesty? Like, what are the tools to address it once you do find that?

C (22:31)

So the question is, what's the root cause for this misconduct? And so sometimes there's intentional. People have incentives that they're trying to get ahead. Sometimes, though, it's something as simple as the policy or process wasn't clear. People thought they were doing their job adequately well, and they were bringing in what their prior firm practices were. But it turns out their prior firm practices are either not appropriate anymore or not how we do things around here. You actually need to create that policy and make it clear to people you need to help them help themselves with creating easy ways to also follow that policy. Almost every firm where I start talking with them about their compliance program will note that they have this elaborate book of firm policies. But really a lot of those are outdated. Some of them they haven't had a chance to put in because it requires so much coordination between different groups of people that you only really learn after a couple months what the actual policies really are. And when they mean really are, it means the ones that you're punished for breaking and the ones that you're supposed to implicitly do. It's as Marvin Bauer described, cultures, the way we do things around here, and that's hard in this integrity policy space.

B (23:39)

And in the end, you're trying to avoid reputational damage, you're trying to avoid financial damage through fines from regulatory authorities, and you're also trying to stay out of prison yourself.

C (23:51)

Exactly. The best way I like to think of this, why do we do all this stuff? Is that I spent a lot of time teaching in the classroom, working with companies, talking about their compliance programs. And what I've learned is that knowing where I'm in there in a classroom or working with them on a training exercise or speaking with their colleagues, do they ever think they would be involved in anything that we would describe as corporate malfeasance? But the data suggests otherwise, that in the long run, there are very smart people who are thoughtful, great parents, great spouses who are going to engage in conduct that has these kinds of consequences that are serious, not just paying a fine, but can lead to prison. And so what I hope we can do with tools like this is help people get maybe one step ahead to not just help their firms, but to really help themselves.

A (24:42)

That was Eugene Soltis, a professor at Harvard Business School, speaking with HBR IdeaCast host Kurt Nickish. Eugene's the author of the book why they Do Inside the Mind of the White Collar Criminal. HBR on Leadership will be back next Wednesday with another handpicked conversation from Harvard Business Review. If this episode helped, you, share it with your friends and colleagues and follow the show on Apple Podcasts, Spotify or wherever you listen to podcasts while you're there, consider leaving us a review. And when you're ready for more podcasts, articles, case studies, books and videos with the world's top business and management experts, find it all@hbr.org this episode was produced by Mary Dew and me. Amanda Kersey on Leadership's team includes Maureen Hoch, Rob Eckhart, Erica Trexler, Ramsey Kabaz, Anne Bartholomew and Nicole Smith. Music is by Coma Media.