Compliance resistance: The risk of sacred cows in an organization

by Ursula Schmidt, PhD

Ursula Schmidt (office@schmidt-advisory.com, linkedin.com/in/schmidt-advisory/?originalSubdomain=lu) is owner of the consulting firm Schmidt Advisory in Luxembourg. She formerly served as Executive Vice President, Audit & Compliance, at RTL Group SA.

As a compliance professional, have you ever been confronted with blatant, open, persistent resistance? Not just that one occurrence of, “Oops, I wasn’t aware of the new travel and expense policy,” but rather, “The new travel and expense policy doesn’t concern me; it’s just for staff”? And, although you consider your company a well-organized one with a sound attitude towards risk and overall good processes in place, this blunt refusal to comply with internal rules doesn’t seem to astonish anyone. If you talk to staff, you hear consistent stories, like, “He has a special agreement with the CEO about his expenses,” “We have been told to reimburse everything he submits,” or worse: “Yes, the amounts are huge, but he doesn’t like to be questioned about anything.” If this sounds familiar, chances are you just met a sacred cow.

So, what’s the massive difference to someone just being a little grumpy about compliance rules and simply not liking compliance overall? “Sacred cow status” in compliance typically means that there are three things present in an organization: 1) There is strong resistance to being criticized or even questioned about certain practices—something is “off-limits” for compliance; 2) there are seemingly common beliefs that such practices are normal and to be accepted; and 3) common beliefs or practices tend to be entrenched—sacred cow status isn’t gained overnight.

The concept of sacred cows is thought to have its roots in Hinduism, where cattle are venerated as special animals.[1] As an idiom, sacred cows have some characteristics that mirror well what we may observe in an organization if compliance faces a roadblock: common ideas, beliefs, or practices that are immune to being challenged, appear to be generally supported, are often rooted in tradition, and are hard to change.[2]

Sacred cows in an organization can bear a variety of risks, are sometimes difficult to spot, and, once identified, are hard to weed out. Hence, for a compliance professional, it is crucial to be aware of the risks and triggers that can lead to sacred cow status and have a few strategies at hand in case a sacred cow gets out of her shed.

A multitude of risks

Persistent compliance failure: This might be stating the obvious, but a person, process, or product that is “off-limits” for standard compliance scrutiny can expose the company to all the risks inherent to the respective compliance failure. Let’s say an internal product approval process is challenged by compliance because it doesn’t follow all the required steps for technical and legal clearance. If the process has gained solid sacred cow status (“Our approval process is sound. I advise you not to challenge it”), chances are compliance won’t be successful with its assessment. Doors are wide open for future compliance failures.

No-mistake culture: Strongly linked to the risk of persistent compliance failure, a no-mistake culture can help sacred cows thrive. Imagine the kind of leader whose main purpose is to present themselves in the best possible light. Chances are they will be rather immune to criticism and intolerant of anything happening that might cast a shadow on their personal image. Without any sort of balancing governance in the organization, such leadership behavior has a high chance of bringing out strong beliefs that mistakes are to be avoided at all costs—and if mistakes happen, they are best swept under the carpet.

Lack of transparency: If something or someone is supposedly “off-limits” for questioning by compliance, chances are it’s also “off-limits” for others in second-line roles. Is there a contract “off-limits” for compliance to review, even though it is usually their role to vet certain contracts? Chances are that legal, risk, or other second-line functions are similarly kept out of the game. Common beliefs built over time then lead to rationalization of the status quo (“Only senior management negotiates this contract,” or, “The head of purchase applies extra scrutiny to this supplier”). And due to such a lack of transparency, it can be hard to figure out if such common beliefs are true or false.

Inefficiencies: Imagine a major project that is off-limits for compliance assessment. Common beliefs over time tend to downplay risks: “The steering committee meets regularly,” or “Management gets monthly briefings about the project budget.” However, after talking with more people, compliance finds out that no real discussion takes place during steering committee meetings; the numbers provided to management are incomplete and disguise budget overruns—in other words, common beliefs are wrong. However, everyone agrees it’s a bad idea to make the project manager angry because they are feared for intimidating behavior, and it’s their pet project. Ineffective governance and poor oversight can go a long way in concealing a loss-making project or product or an inefficient process. Related compliance risks are thus likely to be left unaddressed.

Immunity to change: Be it due to past successes, present flops, or any other reason that something gets “frozen” in sacred cow status if the status quo isn’t tolerated to be challenged, an organization misses opportunities to change and innovate. This doesn’t even need to be because of bad intentions. Strong self-protection mechanisms may be entirely sufficient to create the common assumption over time that questioning anything is a risky business: “An immunity to change, as the name implies, is a system of self-protection.”[3] Pair this with strong egos and power plays, and there is ample opportunity to block any sort of objective assessment of the status quo.

A point on materiality: Downplaying risks through common beliefs and practices (“You don’t need to do any compliance work here. We never look at dormant companies. They are not material”) tends to use materiality, or rather the lack of, as a catch-all argument. Nobody likes feeling stupid by insisting that there could be compliance risks, although an entity shows barely any activity. However, getting to the roots of the common beliefs (lack of knowledge of the executive about the actual situation and obligations of an entity? Pressure on colleagues to stay hands-off that entity?) could point to risks hiding in plain sight, such as filing obligations not being respected or bank access not being secured.

There is a common denominator in these examples of high-level risks: where culture doesn’t cater much for transparency and open communication, and where power plays and egos get a free ride, chances are high for sacred cows to thrive.

So, what are some typical triggers for someone (or something) to gain sacred cow status?

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings