Monday, December 22, 2008

Security Governance: Siemens FCPA guilty plea...

One only has to look a few layers deep into the corporate hierarchy, to see the root cause of why Siemens AG violated the Foreign Corrupt Practices Act (FCPA).

At a hearing before U.S. District Judge Richard J. Leon in the District of Columbia, Siemens AG pleaded guilty to a two-count information charging criminal violations of the FCPA’s internal controls and books and records provisions. Siemens S.A.- Argentina (Siemens Argentina) pleaded guilty to a one-count information charging conspiracy to violate the books and records provisions of the FCPA. Siemens Bangladesh Limited (Siemens Bangladesh) and Siemens S.A. - Venezuela (Siemens Venezuela), each pleaded guilty to separate one-count informations charging conspiracy to violate the anti-bribery and books and records provisions of the FCPA. As part of the plea agreements, Siemens AG agreed to pay a $448.5 million fine; and Siemens Argentina, Bangladesh , and Venezuela each agreed to pay a $500,000 fine, for a combined total criminal fine of $450 million.

Where the compliance and ethics culture begins to break down in this example and others lies within the "Modus Operandi" of the "Deal Makers" themselves. The sales and marketing mechanisms that funded the budgets of front line managers to perpetuate the corruption are to be thoroughly examined. The competitive environment and the "wink and nod" of selling 101 at Siemens has brought them into the ranks of Enron, Worldcom, and other global transnational corporations soon to be announced for their misdeeds and corporate malfeasance. This NYT article by Siri Schubert and T. Christian Miller highlight the culture factors:


“Bribery was Siemens’s business model,” said Uwe Dolata, the spokesman for the association of federal criminal investigators in Germany. “Siemens had institutionalized corruption.”

Before 1999, bribes were deductible as business expenses under the German tax code, and paying off a foreign official was not a criminal offense. In such an environment, Siemens officials subscribed to a straightforward rule in pursuing business abroad, according to one former executive. They played by local rules.

Inside Siemens, bribes were referred to as “NA” — a German abbreviation for the phrase “nützliche Aufwendungen” which means “useful money.” Siemens bribed wherever executives felt the money was needed, paying off officials not only in countries known for government corruption, like Nigeria, but also in countries with reputations for transparency, like Norway, according to court records.


The line item utilized by business development executives at Siemens to secure business is not an exclusive there or in Germany. It is utilized by almost every major global corporation to obtain the opportunity to compete and to make the short list on major procurements. So how does the internal audit and operational risk professionals deal with the fact that money is budgeted each year for these kinds of activities?

Corporate Integrity Management and the ethics programs is a great place to start. This blog highlighted these in a previous post a few months ago:


Every Fortune caliber organization from financial services to health care has already implemented a pervasive compliance program to mitigate the risk of ending up with the SEC or US Attorney in the lobby.

The catalyst behind these initiatives is generated from the U.S. Sentencing Commission's Organizational Sentencing Guidelines. They allow for more lenient sentencing if an organization has evidence of an "effective program to prevent and detect violations of law."

The Guidelines contain criteria for establishing an "effective compliance program."

These include oversight by high level officers, effective communication to all employees, and reasonable steps to achieve compliance such as:

  • · Systems for monitoring and auditing
  • · Incident response and reporting
  • · Consistent enforcement including disciplinary actions

Yet the corporate incivility continues. Why is it that we can’t pick up the morning paper or listen to the news on the way to work without hearing about a new indictment of a top ranking officer?

Security Governance is a discipline that all of us need to revisit and rededicate ourselves to. The policies and codes we stand by to protect our critical assets should not be compromised for any reasons. More importantly, security governance frameworks must make sure that the management of a business or government entity be held accountable for their respective performance. The stakeholders must be able to intervene in the operations of management when these security ethics or policies are violated. Security Governance is the way that corporations or governments are directed and controlled. A new element that has only recently been discovered is the role of risk management in Security Governance.

Security Governance, like Corporate Governance requires the oversight of key individuals on the board of directors. In the public sector, the board of directors may come from a coalition of people from the executive, judicial and legislative branches. The basic responsibility of management, whether in government or the corporate enterprise is to protect the assets of the organization or entity. Risk and the enterprise are inseparable. Therefore, you need a robust management system approach to Security Governance.

If a corporation is to continue to survive and prosper, it must take security risks. A nation is no different. However, when the management systems do not have the correct controls in place to monitor and audit enterprise security risk management, then we are exposing precious assets to the threats that seek to undermine, damage or destroy our livelihood.