Cheat Sheet
- An outside assessment. If you are going to engage an outside firm to analyze any compliance issue, it is critical that you hire a compliance expert who is skilled in the work and has deep experience in the subject matter.
- Internal controls. Internal controls serve as guardrails as well as early warning systems. The Uber report recommends the need for a complaint-tracking tool to identify repeat offenders, rather than relying on organizational memory.
- Creating a mission. The Uber report provides three important reminders with regard to creating a mission: (1) simplify your values and include more positive behaviors; (2) have senior leadership demonstrate those values; and (3) be effective at change management to solicit employee input.
- A strong foundation. Hiring the right people is an important step in building an ethical foundation for the company. The Uber report recommends connecting executive compensation to company values to encourage employees to demonstrate ethical business practices, diversity, and inclusion.
Since it became a disruptive force in the transportation industry, it’s been difficult to avoid hearing about Uber and its meteoric success. The company is the epitome of a tech-based start-up turned behemoth, and has been examined and analyzed worldwide as a case study in finding and disrupting an entire industry. However, in February 2017, that brand shifted after a female engineer authored a viral blog post that focused on allegations of a culture entangled with harassment, discrimination, and retaliation.
Uber promptly responded to its critical compliance issue with notable speed and transparency. In March 2017, it hired the law firm of O’Melveny & Myers (and importantly former US Attorney General Eric Holder) to investigate the allegations and provide a report to the company’s board of directors. In addition, the board established a special committee to analyze the work. Uber publicized a version of that report, including its conclusions and recommendations. In this article, we analyze those lessons and recommendations for in-house counsel leading or supporting their company’s compliance programs.
The power of an outsider’s assessment
When Uber realized it had a critical compliance issue, the company hired outside experts to analyze vulnerabilities raised by the blog post, and the larger infrastructure problems underlying it. Engaging a third party, who can look at your culture and its blemishes with an uninfluenced eye, is a very powerful tool.
Hiring a third party has its pros and cons. In Uber’s case, it allowed them to make a visible and bold statement about how seriously the company was taking the investigation. It also provided a high degree of credibility, given the prestigious firm selected and the participation of a former US attorney general. In addition, it offered a resource with nearly limitless legal and investigative resources that could quickly and effectively assess the situation. Moreover, and unlike using an internal resource, the external counsel would be significantly less likely to feel compelled to shift or shade the results of the investigation because of internal pressure.
Use of external counsel in this fashion can come with cons as well. It is an incredibly expensive approach. As the investigation unfolds, the organization can feel a heightened sense of attention or anxiety about the investigation. Sitting down with any lawyer, particularly an external law firm lawyers, for a candid discussion about workplace grievances rarely generates warm feelings for your employees. In addition, if disciplinary action results from the investigation, the organization can trigger some additional state and federal statutes that may require unwanted transparency and a loss of confidentiality. Finally, most times no one knows the nuances of your organization better than your inside team, who can tease out insights you might not receive otherwise.
It is important to note here that Uber hired an incredibly high caliber team and firm, with truly unique expertise, experience, and influence, which is a lesson in and of itself. If you are going to engage an outside firm to undertake this type of analysis, it is critical that you hire an expert in the space, who is skilled in the work and has deep experience, and with whom you have a relationship of trust. Among the things that can make a critical compliance issue even worse is engaging an outside partner who is not qualified to undertake the work, or who can inadvertently lead your board or management team into an even more vulnerable legal position.
Leaders as culture creators, and recognizing when to make a change
Uber has begun its journey to start over and it has chosen to start at the top of its organization with its CEO. “Tone at the top” is a phrase widely used to define leadership’s verbal and behavioral commitment toward openness, honesty, integrity, and ethical behavior. It is undoubtedly an important and a critical component to any viable compliance program. Employees should recognize the company’s commitment to institutional integrity and understand that compliance goes all the way to the top. While the impact of the behavior of an organization’s board of directors and the executive team cannot be overstated, the responsibility does not end there. Many employees do not know who is on the board of directors. And the company’s headquarters, which is typically the home of the executive team, may seem quite remote to employees who work at other locations.
Consequently, tone at the top is critical, but what is often forgotten is that the “top” is different depending on where you are in the organization. In a national or international organization, the behavior of the leaders of your location or operations unit is the visible, guiding light. In a retail store, it is often the store manager who is the most influential to store employees. When thinking about leadership behavior, do not forget to include middle managers and other leaders within the organization. Those everyday actors can sometimes lead the company out of the wilderness, or at least keep their subordinates out of harm’s way.
One of the most significant challenges a compliance team can face is when a senior executive or top salesperson is implicated in a potential ethical lapse. In these situations, it is critical to establish the appropriate degree of independence upfront to allow for an unemotional and honest assessment. Often, this may require a report to the company’s board or audit committee, which is why it helps when compliance leaders at least have a dotted line reporting structure.
Once the investigation is complete, you will need to consider what disciplinary action is appropriate, potentially including termination or even a report to regulators. Here, it is helpful for companies to have a well-defined disciplinary matrix that sets an appropriate range of penalties for all violations of company policies. Placing guardrails on discretion not only simplifies decision-making in a stressful and sometimes-contentious environment, but it also ensures that employees do not develop a perception that senior leadership is treated differently.
We don’t pretend that any of this is easy or happens without angst. There really is not an easy alternative. Actions that don’t match an organization’s values can damage its reputation and its ability to attract and retain good employees. And, have we mentioned the risk of fines, litigation, settlements, and legal costs?
Ensuring your employees have skin in the game
One of the most important recommendations made in the Uber report was for a comprehensive audit and review of pay practices to assure that compensation was set for legitimate business-related reasons. That recommendation was premised on the fact that an organization’s compensation system declares in bold headlines that the company pays for performance. They will also notice who is held accountable when something goes wrong. How often is it said that only the little guy gets fired? Uber did not do that. It took actions with senior leaders. Why? Leadership comes with great responsibility and those at the top understand that they are captains of the ship. If something bad happens, many regulators hold the leaders accountable, even for misconduct that isn’t their own. Compensation needs to be tied to — and thus incentivize — good behavior. If compensation is not structured properly, employees may be more tempted to take on bigger risks that can harm the company or be under the impression that the expectation is to win at all costs.
If something bad happens, the discipline decision is often framed as a binary choice: termination or continued employment. Other effective ways to tie compensation to performance include withholding a pay raise or performance bonus, delaying or denying a promotion, removing an executive privilege (e.g., parking space), or instituting a demotion. These corrective actions demonstrate that winning without integrity is failure.
Not all of these actions are visible to others. Companies must decide what to communicate openly to demonstrate their commitment to ethics and compliance. Strong actions that are taken but are unknown to others can be interpreted as inaction or endorsement of the misconduct.
Board and board committees and their role in driving culture
So whose responsibility is it to take these actions? In the case of the CEO, in most cases and absent a delegation, it is the sole responsibility of the board of directors, acting through the audit committee, compliance committee, or the HR committee to hire and fire the CEO. It is also possible to create a special committee of the board to handle particularly difficult performance situations. However, if frank, articulate, and supportive communications, including regular performance reviews with the CEO occur, then the extreme measure of a special committee should not be necessary.
The board may, and often does, act as an advisor to the CEO and weighs in on behavior of the executive leadership team. The same criteria of clear performance conversations and accountability apply to the CEO’s management of the senior executives on the leadership team.
We must also address the question of board and director independence, another key recommendation of the Uber report. Independent directors are critical to the board’s effectiveness in many ways, not least of which includes CEO performance management. If the directors are personal friends, relatives, a part of the CEO’s management team, or beholden in other ways — the risk of bias, even unintentional, will infect the analysis and decision-making process. CEO performance, compensation, and discipline is typically the domain of an independent committee of the board.
Internal controls as a regulating force
Internal controls serve as guardrails as well as early warning systems. While usually discussed in relation to finance and accounting responsibilities, in the context of culture and leadership, the key controls are policies, tracking practices, and recordkeeping. The Uber report recommended the need for a complaint tracking tool to identify repeat offenders, rather than rely on organizational memory. Such a tracking system can be useful, if decision-making is based on a combination of incidence and severity. Some behaviors, however, only require a single instance for severe consequences.
Complaint-tracking tools come in various shapes and sizes. Third-party hotline providers use a tracking tool for calls that they receive. That same tool can often be expanded to allow manual entry of complaints and other internal matters. The value here is that complaint information related to your company can be combined on a single report. There is usually a cost for this service. If you do not use a hotline vendor, or you do not wish to incur the cost, you can track internal complaints and matters on a searchable database or Excel spreadsheet. Either way, be sure to keep ethics and compliance records and complaints separate from HR records, although you will want to cross reference names and complaint categories to assure that you can identify and properly deal with repeat offenders. Remember that you will want to know not just who was the bad actor, but also if others were involved, knew about the behavior, and did not report it (witnesses) as well as managers who knew about bad behavior and did not discipline.
Another interesting recommendation was to track separation and settlement agreements with former employees, presumably by the legal team. This assures compliance with the agreements and consistency in terms. It’s unclear what deficiency this recommendation was meant to resolve, but it could be extraordinarily difficult to execute in a large organization. Certainly, one tool is to use a template agreement with certain terms that can deviate within a range based on specific factors. If compliance with certain terms is important, then following up on those specific elements seems practicable.
Policy governance is a key control and seems fundamental, but very few organizations do it well. For any organization, a basic structure to manage the creation, consistency, ownership, location, review, and updates to policies should be top of your to-do list. The key hallmarks of policy governance include a point person or committee with the authority to: (1) approve the creation of new policies or edits to existing policies; (2) identify an organizational “owner” for each policy; (3) establish a review date for each policy, although it may be reviewed and updated earlier if the need arises; and (4) establish a history or audit trail of changes to policies by date, so that you can retrieve the policy in effect at any given date. The “how” of policy governance is variable. Policy governance software is available for purchase, or policies can be managed internally via spreadsheet if your organization is small and not particularly complex. The key is to build a governance process that provides guidance for your employees now, and preserves the history of policy creation and amendments for the future.
Modifying the termination exit interview to be a six-month postemployment exit interview is another recommendation. Too often, the utility of exit interviews is limited because the soon-to-be former employee is not settled in a new job, does not want to burn professional bridges, and may be too emotionally close to the situation. Waiting six months to conduct the exit interview could give a more balanced and honest set of responses. Permission to follow up or conduct the exit interview after six months could be requested at the time of the employee off-boarding.
Developing mission, vision, and values that drive your desired culture
A strong mission, vision, and set of values can serve as both a foundation and a catalyst for a compliance program. These elements are grounding principles connected to everything from strategy to daily business. They can guide decisions even if policy and procedures lack detail. The Uber report provides three important reminders: an organization should have a set of clear, simple values; leadership should actively demonstrate their commitment to the values; and change management should build awareness and buy-in for the values throughout the organization.
The Uber report recommends that Uber simplify its values and include more positive behaviors. Having a set of simple, holistic values provides a strong foundation for the compliance program. It is easier for employees to relate to values than to laws and regulations. Pressure to achieve good results is a normal part of business and is not necessarily an indication of a bad culture. Company values provide the guidelines on how to achieve those results. When company values are focused mostly on business results, employees may interpret that as a message to hit individual goals at any cost — even by illegal means. Uber currently has 14 values, including some focused on individual results and sales like “Let Builders Build” or “Always Be Hustling.” Eliminate values that have been used to justify poor behavior. Sales and results are important, but the report encourages more values emphasizing collaboration, diversity, inclusion, and mutual respect.
Once a holistic set of values is identified, the report then stresses the need for further action. Senior leaders are expected to “walk the talk” daily by being role models, including by embracing and communicating new values. Note that the report does not delegate that task to the compliance team or to the lawyers. When business leaders take on an active role like this, the compliance message is unified with the business message and the result becomes clear for employees.
In this era of enforcement, these unified messages are an easy way for senior leaders to demonstrate clear, visible communication of their expectations. For example, we know about one company that sets a minimum expectation for leader communications and then has a SharePoint site where the messages are posted, shared, and archived.
Once the values are defined and then demonstrated by leaders, the report identifies one more step: change management. Values are meant to be part of everyday company life, regardless of an employee’s position in the company. The Uber report incorporates this by outlining the need for change management and significant employee input. This illustrates that words on paper and leadership tone are not enough. Company values need to be tangibly woven into the organization. Any consultant can pick words, but the employees bring them to life. The decisions each employee makes every day determine if the company will build or maintain its reputation.
On the other hand, it only takes one or two people to make decisions that destroy that reputation. Employing values to create a culture where employees support each other to make value-based decisions increases the chance that contrary decisions will be avoided or detected. By recognizing the need for change management, the report shows that simply publishing a new set of values does not implement them.
It takes time and effort to change a culture. Partner early with your change and communications teams to appropriately identify and convey your message throughout the organization. In addition, finding the right ways to train and keep up an educational cadence with your employee population is the next step of that foundation.
Leveraging training to drive behavior and culture shifts
Once the company values are selected, training and processes help employees to understand acceptable choices that are aligned with company values. The Uber report reminds us that there are four key audiences to train to achieve the desired culture: senior leaders, the HR department, managers, and interviewers. For each of these, the report states that training should be mandatory, not optional.
Devoting time and resources to train senior leaders to focus on how to “walk the talk,” combat implicit bias, and encourage an inclusive culture will help change company culture. The senior leader training should also encompass more fundamental leadership skills like goal setting, implementing corporate controls, identifying control breakdowns, and other general management skills. This recommendation suggests that as Uber transitioned from a startup to a global company, it may have not had the infrastructure to support the development of these skills. Compliance is sometimes considered a luxury that only well-established companies institute but it is not. In-house counsel should keep an eye on their company’s changing profile and continue to assess if more robust controls are necessary. Fortunately, there are many respected consultants in this area who can provide sage advice and training content.
The Uber report emphasizes the need to ensure that the HR department is properly equipped to know how to investigate complaints regarding discrimination, harassment, and retaliation. When HR uses a clear investigation process, including documentation, it ensures consistent handling of concerns and accurate records. The report points out that it is important to define when to escalate concerns or when disciplinary decisions should be escalated for legal review. For example, it recommends that there should be legal review for an investigation that validates a discrimination violation but does not result in a termination.
Beyond senior leadership, significant in-person training is needed for Uber managers. Typically, most employees interact with these direct managers rather than senior leadership — these managers need the skills to handle those situations. This training should cover a variety of topics, such as unconscious bias and general management skills, including evaluating an employee according to the company’s values. Once again, the report emphasizes the issues of diversity and inclusion, including communicating with and valuing all employees. Similar to the HR training, manager training will also include how to handle complaints, identify legal issues, and involve the legal department. Offer the training at scheduled, periodic intervals. This will help reinforce the messages and assist the change management.
To avoid unconscious bias in the interview process, the report recommends training all employees who routinely interview candidates. Again, the preference is for this training to be in-person, not online. An interview that is approached inclusively and without bias is more likely to attract candidates who will help to build an inclusive and collaborative culture. Standardizing the interview process, including questions, evaluations, and feedback methods, helps eliminate the opportunity for unconscious bias. Train the interviewers on these processes so that they can implement them and provide feedback to improve them.
Keeping in touch with old colleagues
Some suggested areas for inquiry, but by no means an exhaustive list, might be:
- Are you aware of any conduct or activities by employees, contractors, providers, volunteers, or vendors — that violate the company’s legal or contractual obligations or polices? (Give examples that relate to your business — falsifying research, false reports to the government, sharing company information with a competitor, etc.) If yes, by whom and what was the issue?
- In your position, did you act as a key control for which there will be no backup when you are gone?
- Do you know of any ethical or compliance issues that should be addressed? If yes, please explain.
- Do you feel executive leadership supported ethics and compliance initiatives throughout the organization? What about your department management?
- Are you leaving the company now because of an ethical or compliance concern that you had about your job or work environment?
- Were you ever asked to engage in conduct you believe to be either unethical of illegal? If yes, please explain.
- Have you reported any serious compliance or ethical problems or concerns to management that have not been addressed? If yes, please explain.
- With respect to the position you are leaving, what remains unresolved that someone needs to know about?
Ensuring HR has a significant seat at the table
HR and ethics and compliance functions are, by their nature, culture drivers and protectors. Uber’s report astutely calls out two critical components to ensure that HR has the right ability to influence the organization: (1) confirming that human resources had the full and robust support of management, and (2) ensuring that the organization is appropriately staffed.
From a management support perspective, no function can deliver on its strategy or its mandate without the proper support of the management team, and the company’s chief executive. That support must be public and show that the company is truly invested in fostering the right culture, and retaining its talent in the right ways. That includes following through on recommendations made by human resources, and ensuring that there is a zero-tolerance policy for illegal and inappropriate conduct.
Having the right number and caliber of HR professionals to support the organization was also a focus area of the report. It is critical for any organization seeking a culture of compliance and ethics to have the right HR support for its business leaders and its employees. Without that functional support, critical initiatives like policy management, training, and employee support can be left by the wayside. Finally, having high-caliber talent (both high performers with high potential, and a sophisticated understanding of leadership) in those roles only improves the service level in those areas, and thus the overall compliance and culture.
In addition to recommending overall infrastructure changes to the HR department, the report also made several key diversity and inclusion recommendations. As a preliminary matter, the report recommended establishing a diversity advisory board and driving greater transparency in “how” the company was doing by publishing diversity statistics. In addition, they advised Uber to adopt new recruiting strategies like blind resume reviews to target diverse sources of talent, as well as implement the “Rooney” rule (borrowed from an NFL rule requiring teams to interview diverse candidates for leadership roles). Other suggestions included recognizing and rewarding diversity efforts, conducting unconscious bias reviews, and other initiatives to boost and improve the organizations culture of diversity and inclusion.
Complaint processes and their functionality in driving visibility to problems
Company values and training help frame the company culture. Misconduct seldom occurs in a vacuum. Someone else usually knows or suspects something is wrong. Managers, hotlines, and complaint processes provide vital channels to express concerns about behavior that may not follow the company values, policies, or the law.
The report emphasizes the need to have a robust complaint process and defined escalation criteria. When an employee raises a concern, it is important that the employee understands there is a fair and impartial investigation process that escalates findings when appropriate. When employees feel ignored or dismissed, they will not bother to raise concerns to the company anymore. Instead, they may reach out externally to find solutions, as whistleblowers do.
Regarding the process, the two simple steps the report recommends are: (1) communicate the process, and (2) thoroughly investigate complaints. The complaint data provides information that can be used to improve policies, processes, and training. It also provides information to guide corrective action, from coaching to termination. Complaint-tracking software can easily streamline processes, analyze data, and provide a repository for documentation. Addressing trends proactively can help prevent bigger issues or avoid promoting an employee whose behavior is not aligned with company values. Think of it as an early warning system regarding company culture. Too many incidents may indicate that more work is needed to improve the culture, and that there is a continuing battle to demonstrate to your organization that complaints can be brought without the fear of retaliation, which is usually a primary driver in complaints not being reported.
Hiring and retaining the right talent to foster culture
Research shows that companies with cultures of high integrity outperform those without it. It all starts with hiring the right people. The hiring process is essentially a screening process. With the right due diligence in hiring, less effort is required to maintain the values and compliance.
Once an employee is hired, compensation serves as powerful motivation to ensure accountability. This applies throughout all levels of the organization. The report specifically recommends connecting executive compensation to company values, including ethical business practices, diversity, and inclusion. This again demonstrates the company’s commitment to how results are achieved. Actions speak louder than words. A company sends a contradictory message if it rewards a top performing salesperson who exhibits behaviors inconsistent with company values. Reinforcing company values and compliance in compensation and performance reviews sends a consistent message: You need both to succeed. It also helps identify employees who are struggling and determine whether coaching and counseling is sufficient or whether stronger action is needed. Promoting someone who lacks judgment means that small problems could become big ones later unless that person receives sufficient support to address the gap.
It is also important to monitor what happens when employees leave. Turnover in the company, or even a department, can be a warning sign of a culture issue. Exit interviews can also be enlightening. The report suggests implementing both monitoring and exit interviews to identify trends and reasons why employees leave.
Building a foundation with your policies
There is a key premise where the world of human resources and compliance intersect — you must do your work as an employer to set the expectations for your employees in advance of holding them accountable to those expectations. Step one in that process is building, deploying, and educating your employees on a set of policies that will effectively drive your culture in the right direction.
Policies are not something you can create in a vacuum, deploy to your employee population, and then act as though they do not need long-term support or discussion. Policies should get a periodic refresh, require training, and be discussed as true tenets of your organization. They should be crafted to reflect the realities and the risks of your workforce and your industry.
In addition, your policies cannot be left to survive and manage themselves. They require a true “owner” (as called out in the Uber report), who will ensure they are managed and evolve along with the organization. That owner can also provide larger oversight to apply policies evenly and without discrimination, and to draft and implement polices to address organizational issues and support your overall compliance structure.
Apply the lessons
In looking at Uber’s complexities, both business and compliance related, and the lessons learned from this report, our overarching advice is to understand the lessons learned here, and then apply them to your organization in a sustainable way. There is no one-size-fits all model for compliance programs and how those programs dovetail in with their functional and operational partners. That said, the lessons learned from the Uber investigation and the resulting Uber report can be used by all compliance and business leaders. The key is determining how they can be applied in your organization in an authentic and sustainable way, and which are the right fit for your program. It is essential to also take away from this case study that compliance is not only a business issue, but a brand issue. It is every leader’s responsibility to instill compliance practices as an organization seeks to build and grow a culture of integrity
ACC Extras on… Leadership and compliance
ACC Docket
Complying with OSHA’s “New” Anti-Retaliation Provisions (April 2017).
Research Roundup: Unpacking Ethics and Compliance with Melanie Condron of Accenture (March 2017).
How Compliance – or a Lack of – Led to the Failure of ITT Tech (Oct. 2016).
Program Material
Effective Compliance Training (Nov. 2016).
Compliance Program Fundamentals (Oct. 2016).
Enhancing Compliance and Risk Management Through Contracts (April 2016).
ACC has more material on this subject on our website. Visit www.acc.com, where you can browse our resources by practice area or search by keyword.