Last week, I had the privilege and pleasure of engaging in a speaking tour in Brazil. It is particularly meaningful to me that Brazil was where I kicked off my post-DOJ public life: it is a country that I love for its people, music, and food, and one which has been rocked, politically and economically, by the Lava Jato (Car Wash) scandal that involved allegations of widespread corruption centering around the state-controlled oil company Petrobras.
Even as I landed in Rio di Janeiro on the early morning of Tuesday, August 22, Lava Jato news were dominating the headlines. On that day, Brazilian prosecutors charged the former Petrobras CEO Aldemir Bendine with corruption, alleging that he took bribes from the construction firm Odebrecht. On the same day, an appellate court suspended the leniency agreement of Odebrecht, ruling that only the Brazilian Office of the Comptroller-General (CGU), not the Federal Prosecutor’s Office, had the authority to approve such leniency agreement. The next day, Petrobras announced that its board was suspending its director of governance and compliance, João Adalberto Elek Jr., for allegations relating to conflict of interest involving the hiring of Deloitte while his daughter was being considered for a job there.
Appropriately, my very first meeting, in such an event-filled week, was with members of the CGU on the morning of August 22. In the three intense hours of uninterrupted meeting, we dove straight into their work in the leniency agreements, and I shared my experiences of evaluating corporate compliance programs at DOJ. Three members of the CGU then joined me in a workshop on the “Implementation and Evaluation of Compliance Programs” at the Brazilian Institute of Petroleum, Gas and Biofuels (IBP). The workshop was followed by press interview, then dinner with a small group of compliance leaders, among whom was Mr. Elek, who would be suspended the next day. There was no sign that he, or anyone else at the table, had any inkling of what was to come.
In the days following, I conducted additional workshops at the American Chamber of Commerce in Rio, the Center for Research and Teaching in Compliance (CPEC) in São Paulo, and finally, at the Advanced Anti-Corruption Boot Camp in Guarujá, hosted by CPEC and the Chediak law firm. Over these days and meetings, I had the privilege of listening to the concerns and answering the questions of those who want to make a positive change in Brazil. I have learned some humbling and encouraging lessons, which have caused some further reflections.
Growing a Compliance Culture
Many people remarked on the nascent nature of the compliance profession in Brazil, and wanted to know what they could learn from a more “developed” compliance market such as the US. There was much acknowledgement of how new the concept compliance was for most Brazilian companies, and the need to start from the basics. This very desire to learn and grow, ironically, is a lesson that more “developed” markets can learn from Brazil. I believe one of the most important criteria for success in a compliance program is the willingness to be self-critical and to never be complacent.
My worry, however, is that the compliance development in Brazil appears to be spurred by the same forces that spurred compliance growth in the US since the 1990s: fear of punishment, desire for leniency, and avoidance of scandals. When these factors are the motivating forces behind a compliance program, the program becomes more an insurance policy than engine for ethical behavior. Not one time did I hear people speak of “ethics” – only “compliance.” Compliance without ethics can be a dangerous thing: it becomes the lowest common denominator; it becomes something about what is required or prohibited rather than about what is right or wrong; it becomes something that can change directions according to the regulatory/political winds.
Brazil has an opportunity to skip ahead of this fear-driven path, to encourage ethics-based compliance that is not focused on formalities or spending, but on effectiveness and results. This opportunity was the center of much of my discussion with the CGU.
Courses and Certifications
Evidencing the desire to learn, I got repeated questions about what courses or programs might be useful for the training of budding and maturing compliance professionals. At the organizational level, there were also questions about the value of certifications, including certifications under the ISO 37001. My answers, for both training and certification at the individual and organizational levels, are the same: it depends on who is doing the training/certification, and what their methodologies are. I heard anecdotes of young auditors who were one day asking questions about “what is conflict of interest” and next day and week going out and auditing companies for certification on that very topic.
I cannot recommend any courses or programs because, first and foremost, I have never taken them. I have never made the effort to take them because I could not discern how these courses and programs have selected their faculty, developed their methodology, or evaluated their results. Coincidentally, while in São Paulo, my visit coincided with an “Ethics and Compliance Academy” run by a popular industry organization. From a quick look at its agenda and faculty, I could not tell what efforts, if any, were made to contextualize their instructions to the particular cultural and social settings of Brazil, or on what basis have the trainers distinguished themselves in their subjects. I also do not know how the effectiveness of these courses and programs are tested and measured. The one thing I can say from my own experience is that I have met and worked with compliance professionals both with and without these certifications: I have observed no difference in their skill level. What I believe to be a more important qualification is a person’s judgment, and in my experience, that is more difficult to teach in a formal setting, but is often learned by working with strong leaders and mentors.
The same goes for organizational certifications. One of the most interesting aspects of the ISO certification regime is that there is no certification of certifier. ISO 37001 is also written in a way where an organization can meet its terms literally, albeit doing so poorly. More on that in another blog.
Family Owned Businesses
The question about the governance of family-owned businesses came up a lot: to what extent can a compliance program be effective within a family owned business? Witness the Cueto Brothers of LaTAM Airlines: Juan Jose on the Board of Directors, Enrique as CEO of the LaTAM Group, and Ignacio as LAN CEO, despite Ignacio’s role in LAN’s bribery conduct that resulted in a fine from the SEC and a deferred prosecution agreement with the DOJ.
The governance of family-owned businesses poses unique challenges due to the nature of a closed-system. The critical question is whether the family is truly committed to opening up that system for external supervision and scrutiny. If so, it can choose to cede certain powers to external parties, such as outsourcing internal reporting, investigation, and remediation, up to and including disciplinary actions against family members, to an external board, for example. Only a visible commitment to such transparency and accountability would begin to instill credibility in its compliance program. This is by no means a problem unique to Brazil: one needs to only look at the Trump Family’s struggle with external scrutiny to see that even “developed” markets face significant challenges.
I want to thank Rafael Gomes for organizing this extraordinarily rewarding speaking tour, and for all the compliance professionals and government officials who shared their thoughts with each other and with me. Brazil is reacting to its Lava Jato crisis in the best way one can hope for: it is capitalizing on lessons learned. Every society will face its crises: the question is, how will it grow from them?