A corporate scandal does not occur overnight. (Thank you Bob Dylan). A CEO does not begin the day telling him or herself that today is the day to begin the Ponzi scheme or complex fraud. It is hard to imagine but corporate scandals grow from itsy-bitsy steps to bigger risks, and eventually to the full corporate embrace. (Thank you Three Stooges, “Slowly I Turned”). Along the way, it is common for concerns to be raised, for voices and red flags to be ignored, and for key decision points to occur when leaders avoid investigating or addressing a problem.
It is a steady process and there are numerous points where scandals can be detected and prevented, where events were not set in stone and problems could have been avoided. Looking back on a corporate scandal, and with 20-20 hindsight, it is usually easy to find the so-called starting point. It may not be a big issue; in fact, it could be a slight circumvention or ignoring of a rule that results in an immediate and tangible benefit. Once it occurs without any disruption, without any concern raised by a supervisor, the conduct becomes a risk and even a threat to the company.
The question then comes up – will the bending of a rule, or the circumvention of a requirement set out in an internal control occur again. Will the same actors commit the same course of conduct? Will the supervisor say anything or look the other way? Assuming that they move forward again, what is the message being sent?
It is too easy to explain that once committed, a course of conduct is then set to repeat itself. That is too easy an answer. A course of conduct requires a corresponding failure to act, an equal number of opportunities where questions are ignored, concerns are not raised and actors with authority and responsibility fail to carry out their duties.
Little issues can quickly turn into larger issues. Small blips in conduct can turn into larger acts, and more can cascade from that. Take for example when employees fail to follow basic rules for submitting reimbursement requests and ignore the rules or requirements. Or consider an employee who ignores a rule and fills out documentation with false receipts or false claims – the money may not be significant but the principle is important. As more incidents like these occur without consequence or without any response, a tone is set. Other managers and employees observe this pattern – it either is stopped or it continues, slowly growing in scope and context.
Internal controls only work when leaders, managers and employees follow them. If there are no controls, then whatever rules apply usually are made up on the fly. Misconduct will grow. If internal controls are haphazardly enforced, then problems will eventually grow.
The impact of such failures depend on the seniority of the actor – a CEO who ignores controls will send a strong message that compliance does not matter; a manager who breaks the rules in front of staff will undermine the company’s culture in a direct and immediate way, and an employee who circumvents controls in the presence of other employees, slowly but surely will undermine the company’s controls on group at a time.
This may be a troubling observation but consider how many rules were ignored, broken or circumvented by Wells Fargo leaders and employees before it became “acceptable” to fire eight whistleblowers who raised concerns about Wells Fargo’s sales incentive program that resulted in the scandal that continues to hinder the bank’s performance? This is a rhetorical question but I imagine that Wells Fargo’s compliance breakdown was the culmination of millions of miscues that were either ignored or even encouraged as a means to an end without regard for the impact that such behavior would have in the long run.