Governance & Compliance
Insight No. 2

Compliance is Bureaucracy (American Style)

by Armin Sorg



Can Compliance Manuals replace individual responsibility and personal integrity?

The straight answer is ― No. Personal integrity and responsibility are essential to leadership. They are the basis upon which Compliance Systems should be built. Leaders must stand up for moral values and credibly declare that corruption will never be tolerated and always penalized. Compliance Systems, however helpful, must always be used with a sense of proportion. Those responsible must be aware of the risk of supervisory systems being allowed to get out of hand. There is no substitute for personal responsibility.

Compliance*, in a corporate sense, means the supervision of corporate rules. In a wider sense, it means that business dealings must conform to the demands and moral values of society. As such, it should be an integral part of corporate leadership. However, there is a new tendency for management theorists and managers to divide leadership into those tasks that concern business operations and those that relate to legal and social conformity. In a sense, this introduces a form of Taylorism (and Managerism) into traditional governance. Why is corporate leadership being divided in this way? Surely corporate responsibility means ensuring that corporate actions comply with legal and social standards?

Without doubt, the number of laws and regulations that must be obeyed by today's enterprises, no matter what their size or complexity, has increased rapidly in recent years. This applies in particular to global corporations. In the past, traditional compliance tasks were mostly limited to export regulations or data protection and data security. But today a plethora of formal regulations has to be observed, in particular because transactions are often no longer bilateral but involve partners from many different countries and jurisdictions. Apart from aspects pertaining to commercial dealings, other regulatory fields have arisen, for example capital movements and stock exchanges or employment relationships and environmental protection. Consequently, firms have to take numerous precautions to cope with these new rules. Against this background, a Compliance System can help corporations to avoid incurring costs and can prevent damages, fines and loss of image. Compliance Systems, in theory, provide comprehensive protection and help to avoid costly mistakes due to ignorance or carelessness. In practice, however, Compliance can afford only limited protection against such occurrences.

Nevertheless, corporate officers must take all necessary precautions. Should they fail in this duty, they can be made liable for violations that endanger organizational security, if their Compliance Organization is considered inadequate. In 2002, after the Enron scandal, the Sarbanes-Oxley Act (SOX) made Compliance compulsory for US corporations. This law, perhaps a typical American legalist response, places much stricter supervisory responsibilities on chief executive officers (CEOs) and directors, together with the threat of draconian penalties. The Commissioner of the SEC (the US stock exchange supervisory authority), Cynthia Glassman, urged major US corporations to create a special staff position at the highest corporate level to mandatorily report on Compliance directly to the CEO.

Since then, the Corporate Responsibility Officer/Compliance Officer has become standard in US corporations, and not just there. In Germany, Siemens became an involuntary pioneer of Compliance and associated practices. After a change in the law prohibited the payment of bribes in foreign countries (previously accounted for as 'beneficial expenses') the practice was treated as corrupt from then on. This change placed Siemens in a precarious position: it was suddenly portrayed in the media as the stereotype corrupt multinational corporation. German public prosecutors began investigating numerous suspected cases of corruption involving Siemens. At that time, the US judicial authorities (the SEC) did not take any action, but under pressure from US lawyers Siemens itself felt obliged to undertake a wide-ranging internal investigation. The huge expense this incurred was borne solely by Siemens. In effect, this amounted to the privatization of legal aid with the bill paid by the accused party.

For over two years, the SEC was like the Sword of Damocles hanging over Siemens. Due to the suspicions raised, Siemens was excluded from public tenders in the USA, and threatened by fines of several billion US dollars. As a preventive measure against SEC demands, Siemens installed a comprehensive in-house Compliance Organization. As head of this organization it appointed none other than Peter Y. Solmssen, the former Executive Vice President & Counsel of General Electric (GE), Siemens's most powerful competitor.

The Siemens corruption affair

As far as Siemens was concerned, the corruption affair was a worst-case scenario. This is demonstrated by the following: within 18 months a Siemens in-house Compliance Organization of around 600 staff was set up, with a one-time cost of 3.5 billion euros and 400 million euros annually. This Compliance Program covers over 100 individual measures. What is allowed and what not is elaborated in a 42-page Compliance Manual. For example, during business trips, expensive wines and delicacies are taboo and staff may not pay any bills on behalf of spouses or friends of business partners. A whistleblower hotline ('scandals unit') was set up for potential and actual violations, hosted by a US-based services company and available in 100 languages seven days a week. In addition, a Compliance Ombuds Office was established, and twelve forensic investigators (similar to public prosecutors) were hired. A Compliance Monitor (Theo Waigel the former German finance minister) was appointed for a four-year period to ensure that anti-corruption rules were obeyed and regularly report to US authorities. With the support of Debevoise & Plimpton, US lawyers specializing in Corporate Governance, over 100 million documents were reviewed – equivalent to around 10 kilometers of file binders (100,000 pages were submitted to the US Department of Justice). As a result, 1.5 million hours were invoiced to Siemens (at up to 1,000 US dollars per hour). A bonus system (20 percent) for Compliance was introduced for 5,500 Siemens managers.

With all of these voluntary and involuntary Compliance measures, Siemens has become a 'benchmark' for Corporate Compliance even by US standards, since no other firm, not even a US corporation, has so far been subjected to such a strict supervisory regime.

American regulations rule

In the wake of corporate scandals in the USA at the start of this century, a completely new Compliance industry emerged with numerous substructures for various branches of investigation together with professional associations, congresses, training firms and, of course, lobbyists: an Eldorado for both lawyers and managerists. This growth of Compliance is remarkable, and it is also very well-paid, compared to other fields of business administration. At the same time, the administration costs that Compliance imposes have also risen. Today, following the global banking and financial crisis, we can expect to see even more Compliance regulations.

In the same way that Compliance has opened up new fields of employment that conveniently absorb an over-abundance of US lawyers, so pressure has grown to extend these practices abroad. Due to global economic interconnectedness and with non-US corporations increasingly listing on US stock exchanges, the number of potential clients abroad is expanding. Siemens is a perfect example of how the SEC is extending it extraterritorial reach and promoting American practices and interests abroad, without noticeable political or business resistance from the countries affected. The beneficiaries are above all US lawyers. The persistence with which American practices are imposed upon other countries has imperial characteristics.

Strike fast, strike hard

The American response to business executives found guilty of improper business conduct is well known. Strict rules of behavior are legally enforced with stiff penalties for violations.

Yet these regulations often have a formal and judicial nature. Although mere nominal conformance is sufficient to satisfy the supervisory authorities, this still places an enormous burden on companies. General Motors (GM), for example, was acclaimed for conscientiously implementing the Sarbanes-Oxley Act (SOX), but whether this results in better corporate supervision is doubtful, given the recent catastrophic decline of GM, once a US industrial icon. That drastic penalties do not always have the expected deterrent effect is demonstrated by the number of prison sentences that have been dispensed. In this sense, the USA is a useful case study for other countries. Numerous instances of corruption, from Enron to Tyco, have exposed the weakness of the US approach. Comprehensive literature on the expected deterrent of drastic penalties exposes a huge disparity between punishment and actual deterrence. In truth the USA, after at first strictly applying such regulations, usually loosens the rules, under pressure from interest groups and 'business-friendly' politicians.

Absolute Compliance

Compliance in selected areas or special cases, in other words, applied restrictively, contradicts the principle that all business transactions should be supervised. The Compliance assumption is that what cannot be rigorously supervised is a potential source of improper practice. Consequently, absolutist demands are made for seamless directives and endless regulations together with Compliance Organizations to police observance from top-to-bottom and across each company. This unrealistic approach exposes a legalistic obsession with supervision and managerist micro-management, as the previous example of entertainment expenses showed. The smallest payment requires approval by a Compliance Organization and elaborate documentation to cover every possible risk. A plethora of rules cover every potential violation. However, outside the corporate world, in general society with its own laws and policing, we see how futile it is to try to regulate everything to the smallest degree. The costs and benefits soon become wholly disproportionate. The negative consequences that micro-management has on business performance are also well known: including many case studies from the field of Compliance.

Unacceptable consequences

The growth of a parallel Compliance Organization within Siemens with 600 highly paid staff shows what can happen to a company in the grip of Compliance. Replicating this across the 30 corporations in the German DAX stocks index would create 6,000 new Compliance positions; an amazing number of expensive actors, who create no added value at all.

Members of Compliance Organizations will also have self-serving motives to create further full-time Compliance positions in their corporation. When setting up a Compliance Organization, it is argued that outsiders must be hired at 'competitive' salaries, from the external pool of available legal graduates. Their unfamiliarity with the organic Company Culture is claimed as an advantage, rather than a clear disadvantage: it is argued they will provide a disinterested perspective.

In this way, functional subcultures grow within major corporations and undermine essential internal collaboration and also weaken the existing Corporate Culture: this happens if only for the simple reason that Compliance Managers are awarded above-average salaries and, as standard management practice, are better paid than those they supervise. High-ranking Compliance Managers can attend contractual negotiations with customers, as 'minders' of their colleagues who bear the real operational and commercial responsibility: a highly demotivating situation.

Supervisory roles are, according to modern management theory (as in Lean Manufacturing), functions that create no value. Consequently, if such functions expand fastest the ratio of administration to operational costs will worsen, thus counteracting one declared aim of modern management: to keep administration costs down. Nevertheless, the Compliance function is necessary because it is required by third-parties and because managers will aim to avoid accusations of poor implementation. This huge additional expense of supervision can also be justified within management, due to the risk of consequences for the managers themselves.

For the corporation, however, there is an greater risk: that of losing the proper balance between compliance and responsibility. A stronger emphasis on Compliance means less weight is attached to personal responsibility. At the same time, excessive Compliance will also gradually immobilize a large organization. It destroys the characteristics we expect to find in a dynamic and trustworthy company ― flexibility and individual responsibility.

Managerism and supervision

If bad practise occurs frequently, as it has recently, observers will immediately discover a regulatory loophole which needs to be closed. The greater the failing, the wider and tighter the regulatory net called for. It is typical of Managerism that such solutions are proposed: solutions that involve assigning even more specialist responsibilities with corresponding authorization and monitoring procedures. Solutions that are impersonal and bureaucratic: delegating supervisory responsibility to Compliance Managers armed with Compliance Manuals. What is not suggested is a revitalization of Corporate Culture to strengthen the moral integrity of managers: this would be the really effective and lasting cure. In fact, the spread of compliance culture has the contrary effect: it releases managers from direct and unlimited personal responsibility for behaving properly and legally. What a difference this is compared with the 1990s, when managers gained the insight that more empowerment was needed, that individuals could be given and assume more individual responsibility for their actions. However, that presupposed an enlightened and positive view of human nature, not a suspicious and negative one. Empowerment was seen as the key to greater motivation and higher productivity. Many firms adopted this new management philosophy in order to benefit from progressive innovation, quality and productivity. Today we appear to be taking a step backward and reintroducing micro-authorization and complex supervisory structures, mostly under the guise of Compliance. Where the call was for agility and a Corporate Culture based on trust, Compliance is built upon even more paperwork and reflects a deep-seated mistrust of human nature.

That corporations are weakened in this way is one unintended consequence. Compliance originated from Managerism approaches out of the USA, based on carrot-and-stick ideology (reward and punishment) closely related to Taylorist ideas of production management. However, just as American ideas, ethics and justice are not universally valid ― neither is US legal practice always worth copying (the US is a litigious society).

Compliance in the right measure

Consider the insight offered by Tacitus, the great Roman historian, "The state which is most corrupt has the most laws" (Corruptissima res publica plurimae leges, Annales 3.27.3.). We should bear this in mind and see Compliance in a wider perspective.

In today's world, over-regulation and over-legislation go hand in hand with deep-seated mistrust and business malpractice without consequences. Perhaps we should start over with a system that has a few, clear and simple rules, whose disregard does have personal consequences. This would mean penalizing not corporations but corporate leaders. To go with this, simple and transparent structures are needed. Where byzantine and confused responsibility is the rule, no single person can be made accountable for Compliance.

To ensure that rules and laws are obeyed is a leadership task, which – as is widely preached – must begin with corporate managers and the supervisory bodies which monitor them. That is always where any rot begins. If a business fails to meet its self-prescribed or proclaimed purposes or those expected by its owners, then the company leaders must decide once and for all: do we still accept these objectives and principles or do we employ underhand means to hide the true situation? This is decisive for how the organization as a whole will react, because that decision will reverberate throughout the organization. Another interesting aspect is that the managers of a truly competitive corporation with a superior product and service portfolio are unlikely to be faced with this dilemma. Also, companies with properly functioning Corporate Governance, even without Compliance Organizations, will be resistant to corruption. If someone of moral character leads a company, that company will also be more immune to such temptations, one would expect. A balanced Corporate Culture which conveys the message, "We don't behave like that." is another guarantor of good Corporate Governance.

If a whole business sector can collectively agree that certain moral standards of business behavior must be strictly observed, then compliance will happen as a matter of course, and does not require a special parallel organization for that purpose. The US electrical manufacturers association, NEMA, agreed in 2004 on such regulations for behavior in procurement and customer relations in medical technology. This could act as an example for others to follow, beginning in those sectors most affected by corruption: namely construction, pharmaceuticals, infrastructure, energy and telecommunications technology. In these cases too, voluntary solutions driven by public pressure should be preferred to statutory measures.

Compliance ― a cost-benefit perspective

Supervisory tasks have a tendency to turn into full-time jobs and become bureaucratic. This is why the position of Compliance Officer should always be a temporary one. The longevity of bureaucratic entities is legend, and not just in the public sector. The demand for clean business dealings at all times is an obligation that cannot be guaranteed by elaborate supervisory structures and procedures. What are needed instead are enterprise-oriented solutions, not parallel Compliance Organizations. What matters is leadership with integrity and a corresponding Corporate Culture that must be accepted and obeyed by every business manager.


• Good corporate governance is the precondition for properly functioning Compliance.
• The integrity of corporate leaders and uncompromising consistency from top to bottom should be the guiding principles for the behavior of all employees.
• A product portfolio superior to those of competitors is the best safeguard against corruption.
• Collective action in collaboration with competitors is an effective supplement to legal measures.
• The cost of Compliance must be proportionate: it is an expense and does not create value.
• A culture of personal responsibility is essential.

Armin Sorg, Head Government Affairs at Siemens AG until 2008.


* Organizational measures can support Compliance/supervision within companies. Above all bank and finance companies set up Compliance/supervisory departments for this purpose. These monitor, for example, conformance to national and international laws and regulations, prevent criminal actions (such as fraud), observance of sanctions and embargoes, abuses of market power, conflicts of interest, insider trading, money laundering and data protection. Tax consulting firms have Compliance/supervisory units to monitor tax regulations (above all submission of tax returns) and as a rule these units undertake no consulting tasks. In addition, Compliance/supervision is considered as part of Corporate Governance.