Enrique Aznar, professor of our Executive Legal Compliance program, tells us his vision regarding the new challenges in the sector after Covid-19 and the future of Compliance

1. Tell us about the evolution of Compliance in the past years, from the moment you began your career, to what it is today.

I started in the fascinating world of Compliance in 2005, when I moved from Dell Computer to Tyco International. Tyco had provoked one the biggest corporate scandals of the beginning of the XXI century (together with others like Enron, WorldCom, Adelphia, etc.).

When I accepted my appointment as Chief Compliance Officer for Europe, Middle East and Africa, covering 35 countries, with combined revenues of USD $6bn and nearly 30,000 employees, Tyco was subject to a number of investigations by the US Department of Justice (DOJ) under the Foreign Corrupt Practices Act (FCPA), the company’s CEO and CFO had been jailed with sentences of up to 25 years of prison time for theft and the company was facing a number of lawsuits from angry cheated shareholders who had lost most of their investments in the company.

 While I had received some FCPA training in the past and I had experience as a corporate lawyer in big multinational organizations, I was not really familiar with the world of Compliance. Probably, not many people outside of financial industry in Continental Europe were at the time! I caught up quickly with the basics of Compliance and focused on educating employees around the region about the risks of corruption and its consequences. At Tyco, we shortly realized that, beyond education, polices and controls, we needed to work hard at addressing important governance and cultural issues. It was imperative to create an adequate organization to support the business and achieve 100% coverage, external legal cost optimisation, measurable client satisfaction improvement, integrity, collective responsibility, ethical leadership, teamwork, commitment, professionalism, accountability, grace and humour. We developed and implemented a new legal model (SMARTER - Segment Management, Regional Teams and External Resources) and replaced more than 280 law firms in the region that were advising at different levels, with little visibility from the legal and compliance teams, by one legal services provider.

This offered me with an excellent foundation for my next job as Chief Ethics and Compliance Officer at Nokia Siemens Networks based in Helsinki. Nokia and Siemens had merged in 2007 their respective telecoms networks divisions shortly after Siemens’ major corruption investigation (that had cost Siemens more than UDS 2bn in fines and legal and accounting costs).

At Millicom International Cellular, a global telecommunications group with mobile telephony operations in 13 countries in Latin America and Africa, with revenues around USD5bn in 2012, I had the opportunity to transform my role of Head of Corporate Governance & Compliance, based in Luxembourg, into a broader role as Chief Integrity Officer, reporting to the CEO, when management understood the convenience of going beyond compliance and aiming at creating a positive social impact as a by-product of its financial investments. Corporate Social Responsibility became a fundamental pillar of the “doing the right thing” theme that guided the Integrity function beyond Compliance[1] and helped us focus not only on preventing corruption but also on areas like competition, conflicts of interest, privacy human rights, health and safety, energy consumption and social impact in developing countries.

Later, I joined VimpelCom, a global telecommunications group with operations in 14 countries (approx revenue 2013 USD23bn). Reporting to the Chief Executive Officer and as member of the Group Management Board, based first in Moscow and then in Amsterdam, I was responsible to implement VimpelCom's Compliance program in the company's operations. It was my duty to monitor the company's worldwide activities and transactions to ensure that business was conducted in an ethical and legal manner and that policies and procedures were followed to reduce the risks of non-compliance with laws and regulations. At the time, the company was subject to a US-DOJ and Netherlands’ prosecutor investigation for corruption in Uzbekistan that ended in February 2016 with a deferred prosecution agreement, a USD 795million fine and a 3-year monitorship. During this period, focus on creating a corporate culture based on values was as relevant as establishing the right controls and coordinating strongly with other assurance functions (internal controls, internal audit, legal, finance, forensic investigations, revenue assurance). After the DOJ settlement, I was appointed as Chief Values and Culture Transformation Officer with the objective to implement a strong values-based corporate culture and transform the business into a digital organization.

In summary, the evolution in the compliance function that I have experienced in my career has gone from raising awareness, educating employees about risks and policies, establishing controls and reacting to crises to introducing a reflection about the purpose of the organization, its impact in society and in developing corporate cultures based on ethical, pragmatic and emotional values in order to elevate the levels of consciousness of the organization and its members.

2. What are the challenges compliance professionals face today with regards to career development?

The compliance profession is very rewarding when the compliance professional manages to influence behaviors and support cultural transformations that aim at “doing the right thing”.

Many companies are currently working on creating cultures of "compliance" i.e. corporate cultures focused on respect for the norm. Courses and texts on "how to create a culture of compliance" have proliferated in recent times. This is a major step forward in relation to the past, when companies cared more about the end than the means and the ability to find shortcuts was considered more of a professional competence than a recklessness, regardless of whether the shortcut could lead to the abyss or, in other words, a violation of the law.

Compliance Officers will find their work more meaningful, fulfilling and interesting, however, if they devote their efforts to create a corporate culture based not on fear of the consequences of non-compliance but a culture based on values, in which its members are conferred responsibility for self-analysis, weighing their individual obligations and responsibilities in relation to their professional and organizational responsibilities before applying decision-making standards and deciding: i.e. an ethical culture.

To create an ethical culture, the company's goal must go beyond mere regulatory compliance, building a business model that actively seeks social impact and which, based on the company's core purpose and values, including integrity and respect, can align with the principles and objectives of international reference frameworks, such as the Global Compact or the United Nations Sustainable Development Goals and the Guiding Principles on Business and Human Rights.

In my experience, the main challenge in implementing effective compliance programs has been the lack of sensitivity by management and boards towards doing the right thing. Management incentives tend to be related to short-term results and boards are, sometimes, more focused on shareholder value than on the organization’s contribution to society.

I have worked for organizations that were going through serious corporate scandals (corruption investigations, shareholder lawsuits, etc.) and companies that simply wanted to prevent compliance scandals. With few exceptions, I have generally received more support from management and boards when the company was trying to resolve a compliance issue than when it was trying to prevent it. To me, the real challenge is the need to elevate the levels of consciousness of the organization, starting with the board and management teams.

Companies are slowly realizing, however, that the Compliance Officer can bring value to the company and its people and that having an independent, adequately resourced, professional Compliance team may prevent serious nightmares. It is not unusual now to see Compliance Officers sitting at the Management Board of big corporations.

3. What are the functions of a compliance officer, his or her competence and skills and what is the importance of having an effective compliance department in a company.

A new discipline, "Criminal Compliance", has emerged in recent years to ensure that organizations implement sufficiently effective controls for the prevention, detection and correction of crimes. Generally, under this new legislation, legal persons may obtain exemption from their criminal liability by implementing effective models of organization and management or, in other words, effective compliance programs, which allow the prevention and detection of crimes. The implementation of compliance programs is generally not mandatory, although it is a necessary requirement to obtain an exemption from criminal liability in the event that a crime has been committed, directly or indirectly, through the legal person.

International Compliance regulations generally identify the need to create corporate cultures that minimize the risk of non-compliance. In this sense, in addition to the implementation of internal measures and controls aimed at preventing and detecting the commission of crimes, an important element in determining the existence of an efficient compliance program in the company is the demonstrable existence of a corporate culture based on ethical values.

Companies have to make difficult decisions and, with the support of the Compliance Officer, they may sometimes lose business opportunities due to their possible unethical implications. In the long run, however, compliance is associated with stability and trust and it is also a matter of personal responsibility and decency.

The Compliance Officer will bring value to the company's strategy to create an ethical culture that has a positive impact by focusing on four key elements:

1. Reduced costs and risks with preventive measures, improved risk and problem management, identification of opportunities to combine cost benefit and social performance, as well as increased energy efficiency of office networks and buildings.
2. Creation of value actively seeking to offer organizational and commercial solutions to social problems that are directly or indirectly related to the activities of the company.
3. Search for a competitive advantage through corporate responsibility activities, linked to the company's core business, that distinguish the company with equitable employment practices and community activities that align closely with the company's business strategy and core competencies.
4. Development of the company's legitimacy and reputational capital with strong relationships with the communities in which it operates, stakeholder engagement and transparent reporting and communications.

In my view, a Compliance Officer needs to have a purpose that goes beyond ensuring that the organization does not breach the law. A Compliance Officer should be the catalyzer of the organization’s culture transformation. To do so, he or she must not only understand the applicable laws but also have business acumen, people skills and lots of integrity, maturity and resilience.

 4. Do you think Compliance will gain relevance after Covid19? What have the effects of the pandemic been and why?

 During the lockdown, IE Law School kindly invited me to a speak at a webinar session titled “How can companies update and improve their compliance policies after the covid-19 crisis?” At the webinar, I suggested that organizations are facing new risks and that risks assessments should be reviewed to include and address these risks. Not only unexpected risks of pandemics but risks related to the “new normality”. Many companies have suffered distress when their usual suppliers were unable to ship products from remote locations or were suffering from production shortages themselves. These companies had to rush to identify new suppliers and may not have acted with the adequate diligence in selecting them. One must not forget that third-party related risks are high in most organizations risk assessments. Other risks related to the new way of working from home include cybersecurity, health and safety hazards. Some companies may also be tempted to recover lost ground by cutting corners in risky ways. Requests from donations and charitable activites should continue to be properly scrutinized. Reduction of staff and greater interaction with the public sector, renegotiation or revision of contracts, obtaining permits, increased risk of fraud in general, handling sensitive information outside the working environment are other risk that deserve a higher degree of attention post Covid19.

Many companies and many employees have realized that the activity to which they devote most of their effort and time is considered "non-essential". New consumption patterns will require companies to review their business models, assess whether their corporate culture is best suited for this new normal and develop new values-based cultures, focused on maximizing the prosperity and social impact of their different stakeholders, including employees, that allow the continuity of their activity in a considerably different environment.

Collectively, we now have an opportunity to reflect on what we want from our society and our companies. Do we really want to create corporate cultures of strict compliance with standards or do we prefer to raise the levels of consciousness of their members so that they, being aware of the impact of their actions, make the right decisions in the right context?

5. What do you enjoy most about teaching? And what have your learned about teaching virtually?

Lecturing at IE Law School has brought me the opportunity to share with younger generations some of the learnings that I have gained in my career as a lawyer and Compliance Officer as well as in my own personal journey. I enjoy discussing not only about technical matters but also identifying challenges and stimulating students to think critically about ethical dilemmas. It is always stimulating to face questions asked from a totally different point of view or mindset. I learn as much from my Business Ethics courses and our group discussions than from real life.

Virtual teaching is a practical and convenient way to stay connected and continuing with our mission to create positive impact in society. I miss somehow the spontaneity of life classes, although I feel that students are increasingly more comfortable and more open to participate in the distance format. Perhaps one day they will also feel comfortable to keep their cameras on and maintain a bit of the human touch in the lecturer-student relationship!

[1] Beyond Compliance: Make Way for the Chief Integrity Officer. Aznar, Enrique y Vaccaro, Antonino. 27, s.l. : IESE, 2015, IESE Insight.