Ursula Schmidt (office@schmidt-advisory.com, linkedin.com/in/schmidt-advisory/?originalSubdomain=lu) is owner of the consulting firm Schmidt Advisory in Luxembourg. She formerly served as Executive Vice President, Audit & Compliance, at RTL Group SA.
As a compliance professional, have you ever been confronted with blatant, open, persistent resistance? Not just that one occurrence of, “Oops, I wasn’t aware of the new travel and expense policy,” but rather, “The new travel and expense policy doesn’t concern me; it’s just for staff”? And, although you consider your company a well-organized one with a sound attitude towards risk and overall good processes in place, this blunt refusal to comply with internal rules doesn’t seem to astonish anyone. If you talk to staff, you hear consistent stories, like, “He has a special agreement with the CEO about his expenses,” “We have been told to reimburse everything he submits,” or worse: “Yes, the amounts are huge, but he doesn’t like to be questioned about anything.” If this sounds familiar, chances are you just met a sacred cow.
So, what’s the massive difference to someone just being a little grumpy about compliance rules and simply not liking compliance overall? “Sacred cow status” in compliance typically means that there are three things present in an organization: 1) There is strong resistance to being criticized or even questioned about certain practices—something is “off-limits” for compliance; 2) there are seemingly common beliefs that such practices are normal and to be accepted; and 3) common beliefs or practices tend to be entrenched—sacred cow status isn’t gained overnight.
The concept of sacred cows is thought to have its roots in Hinduism, where cattle are venerated as special animals.[1] As an idiom, sacred cows have some characteristics that mirror well what we may observe in an organization if compliance faces a roadblock: common ideas, beliefs, or practices that are immune to being challenged, appear to be generally supported, are often rooted in tradition, and are hard to change.[2]
Sacred cows in an organization can bear a variety of risks, are sometimes difficult to spot, and, once identified, are hard to weed out. Hence, for a compliance professional, it is crucial to be aware of the risks and triggers that can lead to sacred cow status and have a few strategies at hand in case a sacred cow gets out of her shed.
A multitude of risks
Persistent compliance failure: This might be stating the obvious, but a person, process, or product that is “off-limits” for standard compliance scrutiny can expose the company to all the risks inherent to the respective compliance failure. Let’s say an internal product approval process is challenged by compliance because it doesn’t follow all the required steps for technical and legal clearance. If the process has gained solid sacred cow status (“Our approval process is sound. I advise you not to challenge it”), chances are compliance won’t be successful with its assessment. Doors are wide open for future compliance failures.
No-mistake culture: Strongly linked to the risk of persistent compliance failure, a no-mistake culture can help sacred cows thrive. Imagine the kind of leader whose main purpose is to present themselves in the best possible light. Chances are they will be rather immune to criticism and intolerant of anything happening that might cast a shadow on their personal image. Without any sort of balancing governance in the organization, such leadership behavior has a high chance of bringing out strong beliefs that mistakes are to be avoided at all costs—and if mistakes happen, they are best swept under the carpet.
Lack of transparency: If something or someone is supposedly “off-limits” for questioning by compliance, chances are it’s also “off-limits” for others in second-line roles. Is there a contract “off-limits” for compliance to review, even though it is usually their role to vet certain contracts? Chances are that legal, risk, or other second-line functions are similarly kept out of the game. Common beliefs built over time then lead to rationalization of the status quo (“Only senior management negotiates this contract,” or, “The head of purchase applies extra scrutiny to this supplier”). And due to such a lack of transparency, it can be hard to figure out if such common beliefs are true or false.
Inefficiencies: Imagine a major project that is off-limits for compliance assessment. Common beliefs over time tend to downplay risks: “The steering committee meets regularly,” or “Management gets monthly briefings about the project budget.” However, after talking with more people, compliance finds out that no real discussion takes place during steering committee meetings; the numbers provided to management are incomplete and disguise budget overruns—in other words, common beliefs are wrong. However, everyone agrees it’s a bad idea to make the project manager angry because they are feared for intimidating behavior, and it’s their pet project. Ineffective governance and poor oversight can go a long way in concealing a loss-making project or product or an inefficient process. Related compliance risks are thus likely to be left unaddressed.
Immunity to change: Be it due to past successes, present flops, or any other reason that something gets “frozen” in sacred cow status if the status quo isn’t tolerated to be challenged, an organization misses opportunities to change and innovate. This doesn’t even need to be because of bad intentions. Strong self-protection mechanisms may be entirely sufficient to create the common assumption over time that questioning anything is a risky business: “An immunity to change, as the name implies, is a system of self-protection.”[3] Pair this with strong egos and power plays, and there is ample opportunity to block any sort of objective assessment of the status quo.
A point on materiality: Downplaying risks through common beliefs and practices (“You don’t need to do any compliance work here. We never look at dormant companies. They are not material”) tends to use materiality, or rather the lack of, as a catch-all argument. Nobody likes feeling stupid by insisting that there could be compliance risks, although an entity shows barely any activity. However, getting to the roots of the common beliefs (lack of knowledge of the executive about the actual situation and obligations of an entity? Pressure on colleagues to stay hands-off that entity?) could point to risks hiding in plain sight, such as filing obligations not being respected or bank access not being secured.
There is a common denominator in these examples of high-level risks: where culture doesn’t cater much for transparency and open communication, and where power plays and egos get a free ride, chances are high for sacred cows to thrive.
So, what are some typical triggers for someone (or something) to gain sacred cow status?