Business Ethics on Today's World Stage

Good morning, good evening, good afternoon, or sort of anything in between. Welcome to Cloudflare TV. This is Cloudflare's 24-hour TV station. We broadcast around the planet about things that I guess happen on the planet. As we like to say, tune in and geek out. Now my name is Mark Vargo. I'll be your host for the next 30 minutes. I'm coming to you live from London, England today, which is fairly warm and surprisingly rainy. I work at Cloudflare. I'm in the customer strategy group, helping customers think through some of their biggest problems and possibly how to solve them. And today, we have a very special guest and a very special topic. In fact, you could argue one of the largest problems companies are facing today. So in the next 30 minutes, we're going to discuss something called business ethics, compliance, and governance, kind of on the world stage. So some of the largest companies. Now we all know as those corporations become more influential and more powerful, and some say maybe as powerful as governments these days, how do they go about their business, helping themselves remain ethical, remain compliant, highly governed, in order to protect themselves, their employees, and obviously their customers, and just general citizens of our wonderful planet. So today, we have a very special guest named Tim Langton. Tim comes to us as a trustee of the World Business Ethics Forum, and probably one of the most experienced individuals we have in this field. We're lucky to have him today because he's a busy chap. So Tim, welcome to Cloudflare TV. I hope you can see we put a fire on for you so it's nice and warm, so we can have a chat in merry old England. So before we start, I think it's probably appropriate, Tim, why don't you introduce yourself, a little bit of background, and maybe some of your experiences. Okay, thanks, Mark. I've had a good deal about Cloudflare and helping build a better Internet, so it's really nice to be able to interact with you around our little fireside chat. I've worked in risk, ethics, compliance, and governance for more than 20 years in large corporations like BP, BOC, Anglo-American, Centrica, and KPMG, and what it boils down to really is helping those organizations, working out what they need to comply with and how they should demonstrate their ethics. As you've heard, I've kind of crossed a lot of sectors working for those companies, and I've built and run programs for all of them over sustained periods. I've also had the luck to be able to defend companies that have been in trouble. Some of those I can talk about, some of them I can't. The best known one, which people may have heard of, was the Deepwater Horizon incident at BP. I was there before, during, and after that one, and worked hard within the company to help it manage the fallout from that. I'll try and make it spicy, and I'll try and make it clear as well, so this is actually an interesting and fun topic if you look into it carefully. Hmm, yes, I imagine you have lots of stories that will remain on tour, as they say. Now, we hear a lot about business ethics, and I think in the current world situation, obviously, a lot of people are thinking about many, many things, but there's no doubt remaining ethical, remaining compliant, understanding how to govern themselves. There's words that the every person says, but they don't necessarily maybe understand. I guess a simple question to start with is, what is ethics and compliance? What is it really all about? Yes, okay. If you were to distill it right down to its most basic things, it's about two things. The first of those is knowing what rules apply to your business operations, and observing them as you execute those operations. That's pretty straightforward in principle. That's the compliance bit. It's just knowing what the rules and regulations are and meeting them head on. The second bit, which is often the more tricky bit, is the ethics. If you like, you can liken that to doing the right thing when no one is looking. How does a company make sure that when no one is looking, everyone in there does the right thing? The way that operates is, largely speaking, you'll have regulators who are more concerned with compliance than ethics, although they're turning towards ethics now. As a large company operating in many countries and jurisdictions, what you'll find is you've got to be able to show, if you get anything wrong, that you took this stuff seriously in advance. What ethics and compliance is about is those two things, and being able to prove that you've done the right thing before anything bad happened. If you like, you've got to do this stuff in peacetime before it goes wrong, because it will go wrong. If you work in a big company, this stuff happens, there's a fair run rate of stuff that keeps going on, that's perfectly natural, but you need to have in place the stuff that helps you navigate it. That's what it's really about. It's not as easy as saying just doing the right thing. You actually have to have the process in place. One of the things that's always confusing, I imagine, to anyone who's learning more about this is, how do you work out the rules? There's got to be thousands of rules that change, not really hourly, but certainly daily, weekly, and every, I imagine, event that goes on in the world, good or bad, there's more rules. How do you work out what rules are there, and then how do you work out how to apply them to your own business? Yeah, that's a really good question. I think there's two parts to that. Firstly, how you work out what the rules are, and then secondly, what if they change? Taking the first part of those, it's simple, really, working out what rules apply to your business, because in essence, everything flows from your risks. A good company will know what its risks are, and it'll talk about them at its executive and its board and through the company, and it'll know how to manage those. All you really need to do is to say, right, if we're, for example, if we're in Cloudflare, we might have some data protection risks which we need to manage on a day-to-day basis. Okay, we probably have that risk. Right, where are we operating? Right, we're operating, you know, let's just say for the purposes of simplicity, we're operating in the U.S. and Europe. Well, we need to go and find out what the U.S. rules are and the European rules are, and then we need the clever people in ethics and compliance to tell us exactly what those rules really mean. How do they actually translate into things that mean things for our day-to-day operations, and what do we need to do directly as a result? Now, I've simplified there for two countries, but actually, you know, in this day and age, more companies operate across many, many countries, so the art is staying abreast of all of those rules, and there are often tensions between those rules. So, you know, give you one example, right, in bribery law, the U.S. law, which is the Foreign Corrupt Practices Act, says if you're a U.S. citizen and you're paying for a small routine governmental exercise to be sped up, you can render what's called a facilitation payment. It's just a small payment, a dash payment, to get it sped up, and that's fine if you're a U.S. citizen. But in the U.K., that's a bribe. So, you can see straight away, people could get quite confused unless you are really clear about saying, you know, actually, we're going to take the lowest common denominator, it's all bribes, forget it, you know. But that's one very simple example of how that tension runs. Now, from there, the rules change all the time, and this is the really meaty part of it. So, to give you some examples, I mean, it's a growth industry. This is not going anywhere, the regulations just seem to proliferate, and moreover, they proliferate at risk events like the pandemic. So, history shows us that after issues like the pandemic, which change the risk landscape, the regulators come in and say, right, we really need to change the way this looks. To give you some appreciation of how many rules you have, in the U.S., between 95 and 2016, there were nearly 89,000 U.S. federal rules being issued. Now, of those, no one's really sure how many federal regulations there are at any one time, and they kept on the federal register, which is kind of the register of all rules in play. But if you think, one rule isn't necessarily just one line, it could be a page, it could be a book, it could be a whole number of things. But what that really means is that they're issuing about 75,000 pages of fine print a year, with more than 5,000 significant sets of rules per year on average, meaning there's roughly, you know, summarizing here, 200,000 major rules to comply with just in the U.S. Now, they don't all apply to every company, but you need to kind of say, right, of those 200,000, what of them relate to our risks and then move from there? But that's just one country. So, in the U.K., you know, another G8 country, just shy of 53,000 rules have been introduced in the U.K. as a result of EU regulation since 1990. So, and that, and that all of those will need to be renewed when Brexit happens. So, you've just got two G8 countries, you've probably got 140,000 rules. Now, let's be clear, most of those sit in, you know, highly developed countries like the U.S. and the U.K., but they're in a lot of other places as well. So, what you're looking at as a professional in this area is saying, right, what are our risks, what rules govern those risks, and how do they ebb and flow on a daily basis? And if you're operating in more than one country, well, what do all those rules look like? How do we create one set of rules for Cloudflare that works everywhere? And then how do we communicate those rules into the employees so that they can operate knowing that we've got their back, knowing that if they just stay within the guardrails, they're fine? So, it's, you know, it sounds simple, but there's a lot of kind of ducks feet moving under the water to keep this simple and straightforward and calm above the water for the company. So, I guess, silly question, but, so rules get understood, they get written, they get understood, they may get applied, hopefully the right way. Do they then change in flight? And do rules change? And are there examples where you went, oh, no, we're in trouble now? Well, not normally in flight, you'll normally get a good amount of notice if a rule book is changing in flight, what will happen? And it's a good question, because what normally happens is, when rules are being developed, and before they actually come into force, they can change like a wind, because you've got a lobbying process running, and you never know how many lobbyists are in the room, and you never know how many interested parties are behind them. You can see a bill change its course four or five times in the course of its drafting. And I was lucky enough in my past to help draft the UK Bribery Act. And obviously, I can't reveal what happened in there. But it was like operating in a five year old playground, if I'm honest, you know, that the number of interests and the negotiating tactics were fairly brazen, let's just say that. So as they change, the thing about a bill, something which hasn't yet come into force, the thing about a bill is, you know, if you're a responsible company, you're looking at the bill and going, right, if that happens, we've got to go over there. But then if it changes, we are not no longer going over there, you've got to change your course, you've got to manage your processes and your systems and your controls differently. And, you know, to give you an example, when the Bribery Act came out, we had the Olympics in the UK in 2012. So it came into force in 2011. It came in 2012. And everyone was terrified of entertaining there. But yeah, there are ways to do it. You can respect the regulations, but keep the company on the right side. So, I mean, side question to that is, do you have to then often meet with the C-suite? I mean, being a C-suite yourself, to explain these rule changes and these definitions? All the time. And that's part of the job, if you're running a team of this nature is, not only you managing the rules, which I've described already, and the way they're ebbing, flowing and changing, and one country changes and now you've got to change your balance and keep it current. But also, you're looking out to the horizon to see what's coming over at the company. And giving the exec and the board enough notice that they can say, right, that's really important. Let's throw some resource at that and really get it into the right place before we need to or exactly on time so the regulator doesn't get annoyed with them. And yes, those conversations are very much about translating what are very legalistic documents into just basically things which say, right, if the law happens like this, that's what it means for our consumer division. That's what it means for our B2B division. Here are the ways we might need to change. Don't worry, we've got a project team just about to stand up to look at how those will affect our operations and where they will go. And it's about, you know, I mean, in essence, those conversations are about showing you know the issue, generating trust, showing a plan and executing against plan. That sounds like a lot of work for each rule, I guess, or each regulation that comes in. But okay, so here's a bigger question. And I appreciate, you know, in your experience and the world stage that you operate, you know, there's certain things you can and can't say. But just what, I got to ask the question, what happens when companies get into trouble with regulators, right? Because inevitably, you can't keep up with everything. Business is a dynamic environment. What happens when it goes when it goes wrong? Well, I'm going to oversimplify here to answer the question, because it's very, very complicated. But in essence, first and foremost, if the regulators think you've got it wrong, then they will set out to interrogate the company. And there are lots of ways they can do that. You know, they can, for example, do a dawn raid, they can raid your home, they can seize your assets, they can take your phones, your IT, your private IT, they can take anything they want in the company with good reason. And what they will often want to do is to talk to the senior most individuals they can get their hands on, because that's more disruptive, and they want to be disruptive. So they'll go through this phase of actually interrogating a company to get evidence out, then they'll look at the evidence. If they look at the evidence, and they feel the company has done something seriously wrong, and they can prove it, there'll then be a bit of a negotiation where the regulator will say, you did this wrong. And the company will say, well, actually, we didn't for the following reasons. And there's this to and fro. I mean, if it's obvious that you've got it wrong, obviously, that negotiating phases is a bit foreshortened, right? But where the road leads then is broadly speaking into two forks. One is either to trial, which in this day and age is not something that most companies will want to do, because it puts you in the court of the media, and you do not want to be there with your stock price. The more trusted route at the moment, if you've got it wrong, is into what's called a deferred prosecution agreement, which is essentially saying, I got it wrong. I'll go on parole as a company for a defined period. And if I can come out of that parole period, with no egg on my face, it all goes away. Oh, and I will pay a fine, and I'll pay reparations, and I'll pay back all the profits I may or may not have earned on the back of that. But it's, you know, I'm foreshortening and oversimplifying it, because it's incredibly disruptive. When you get these things coming in, when you have a dawn raid, or you have a regulator starting to interrogate a company, they will go straight for the most senior people they can. And that just eats executive time. And executive time is short anyway, and incredibly valuable. This stuff can exercise a company for years and years on end. And aside from, you know, what, you know, what you would understand to be the fines, and I mean, it's worth actually just settling back on that for a sec, because the fines are very, very significant. So they can now be up to 10% of a company's group annual turnover for some risks. So a turnover, not profit, turnover, group turnover. So you do the math. I don't know what it is at Cloudflare. But you know, some of the big, you know, if you do the math at Google, or Apple, or, you know, trillion dollar company, you do the math, it's massive. And, you know, if you look back at the last full calendar year, in 2019, the US government secured to nearly $2.5 billion of fines for bribery crimes. And in the same period, the EU fined EU based companies about one and a half billion euros for competition offenses. So this is big money. We're not talking just about a slap on the wrist. And that's the stuff you see, what you don't see is all the fees sitting on the back of that. So lawyers time, you know, conservative estimates for a big firm in the US 1500 bucks an hour, an hour. And you won't just have a partner running on it, you'll have dozens and dozens of minions and partners running on it 24 seven, often for years. So you do the math again, costs of a monitor. If you look back at HSBC monitor, which is a company called Exeger, there were hundreds of people in that team monitors run at the expense of the company, but they report to the regulator. So there's another cost. So just for our listeners, so monitor not meaning the thing that you and I are talking on, I mean, a group of people that come in and descend. Yeah, they just what they're what they're there to do is to check a company when it's on parole, as I previously mentioned. So if you get a deferred prosecution agreement, what that will come with is someone who will monitor you during the existence of that agreement. They're called a monitor. They will be given terms of reference by the regulator, they'll come in, they'll march in with their teams, they'll go where they want. You never argue jurisdiction with them. And they basically will then look at what you've given them report back to the DOJ, the SEC, the SFO in the UK, they'll report back and say, well, yeah, that company X didn't do it so well in the past. They have a plan, but I'm not happy with the plan. They've got to upgrade it. And I'm going to talk to the board members because I don't think they're talking enough about this stuff on a daily basis. They are interfering in essence. So the company has to pay for that monitor? Yeah, well, not only do they have to pay for it, they have to manage how that monitor impacts the company. And I was part of that effort at BP, for example, with the monitorship following Deepwater Horizon. That's very disruptive. And it kind of leads you into other things that kind of more hidden costs. So I've mentioned management time, a company gets more risk averse when it's in trouble. And it might sound small, but if you're more risk averse, you're not out competing hard in the marketplace, you're not securing market share, you're not selling, you're not doing what you normally do. And it starts to affect your stock price, starts to affect your investment grade. And, you know, the other thing is often overlooked. You're not you're no longer the employer of choice. Guys and gals and everyone else coming out from colleges these days wants to be working for an ethical company. If you've fallen foul of those things, all of a sudden you're not getting the cream of the crop. And that might not affect you in the next year, but it will in the next five and it will in the next seven. So all of those things you don't get to see, they will affect a company's trajectory and profit terms. Yeah, yeah. And you can see that. I mean, I'll come back in a minute about balance, because it sounds like that's probably worthwhile exploring. But but I got to ask the question. So what's the worst one you've been involved in? The worst one I can talk about that I've been involved in. Okay, yeah, that you could talk about. And I can't, you know, obviously, I've got to be careful here. It was the Deepwater Horizon incident in the US where BP had a deep water rig operating on the ocean floor in the Gulf of Mexico, the safety mechanisms in place to protect the outflow of chemicals, if that rig failed, all failed. In very public terms, you know, CNN ran a picture of the wellhead in the corner of its screen 24 seven, it allows a lot of leakage and a lot of damage. And the result of that was the company was fined. You know, I think external estimates put it at about $65 billion all in. I mean, that's not the fine. The fine was a lot less than that. But the cost of the company in terms of what I've described to you a minute ago, was something in the region of $65 billion. That's fine. That's penalties at settlements, not just settlements with the government, but settlements with private individuals who may or may not have earned their living in and around the Gulf. You know, there's a lot of attendance stuff around that. So I was there before, during and after that, you know, when it happened, very difficult time, when we managed to sort the wellhead out and lock it in, which is fabulous. But then, then the real work started in terms of actually negotiating with the DOJ, the EPA in the US, and work out what the deferred prosecution agreement may or may not be. Once that had been agreed, you know, we then had to work through the publicities surrounding the fine, which was levied on us. Then there ensued negotiating process to appoint the DOJ's monitor and what subsequently also turned out to be the EPA's monitor. And then, then the work starts, because then you had to introduce the monitor to the business, introduce the business to the monitor, those two different things, and then manage the monitor on a daily basis to make sure you know what you've given him or her, you know what they're talking to the DOJ about, you know what your calendar is, and you're making sure that the impact on the business is not too great. So I think you can hear, but and remember, all of that is alongside your day job. Because you still got to run a program and manage a program and keep abreast of the rules, as I've already talked about, this is an extra. And, you know, in a company like that, where you go through what amounted to possibly a near death experience, you also have the company wants to reset itself. So there's big projects emerge about how it wants to reset itself and what it wants to do. And I was involved in some of those too. So that was, that was the, you know, what is probably one of the biggest ethics compliance incidents ever in the whole history of ethics compliance incidents, but it was very, very hard work, but really good experience. Yeah, yeah. And it well, some of us, you know, can only relate to it from obviously what we saw on the news, and then the movie, which, you know, may or may not be accurate, but, but God, I could, I can now, now that you're talking about, I could see just the enormous amount of effort, money, right, and disruption besides, obviously, what happened to the environment and to the people. So, okay, so switching gears for a second, then, obviously, we don't Cloudflare doesn't poke holes in the ground, at least not yet. So, you know, how does, how does anyone find out about the rules, you know, in their company? I mean, where does this stuff sit? Is it obvious and easy to understand it? Well, that's a really good question, because actually, the best programs are often silently running away in the background, and you don't know you're doing them, but they guide you silently, and you they almost speed you up, you know, that that's, that would be a great program. You know, my advice to anyone in Cloudflare wants to know what the risks are, and how they can make sure they're contributing and helping manage them for the company is to reach out to anyone. I think your, your GC is a guy called Doug Kramer, who's a very accomplished lawyer with a, you know, very star spangled history. Any of his team, normally, this resides within legal. And if you reach out to any of the lawyers in Cloudflare, they'll be able to direct you to the right place. If you if you have a CCO, a Chief Compliance Officer, he or she will be able to do the same thing. But if in doubt, ask, I would say, ask Doug Kramer, he'll be able to help you. I think in developed programs, what you'll normally get is, you know, your expectations in terms of training for the year. So, you know, you turn up to your training, your e-learning website, and it says, Tim, this year, you've got to do bribery, data protection, competition law, and one or two other things. And that should appear there because if, you know, as I've talked about, if you've been able to identify your risks, the quickest way to tell your staff about what your risks are, and help them understand how the risks might occur, what they need to do if they bump into one is through training. That would be my best advice. If you, you know, Doug Kramer is your first port of call. And the culture of this company, I mean, it won't bore you, it's unbelievable. And also, some of the things that Cloudflare does, that very visible on the web, which, you know, some of them are incredibly obvious on how we're ethically doing the business, you know, protecting those vulnerable voices on the Internet that need protecting that wouldn't normally get it. So, and there is a lot of training that goes on. But, you know, but it's always good to ask, you know, for a lot of times, companies outside Cloudflare don't know where to go to get that. So, I mean, I wrote a question down, but I'm not so sure it matters, really, is because clearly it does. But does anyone really need ethics and compliance? And maybe another way to ask it is, is what happens, I guess, if you really don't have one in place? I mean, clearly, it's a competitive advantage to have it, but do you really need it? Well, look, I mean, the bottom line here is BP had a really good one in place. And that incident, which was unprecedented, still cost it the amounts I've already described. The bottom line is, in some countries, it's an expectation that you have a program in place. And if you don't, don't have one, it could be an offense. But the biggest kicker is, in the US, in particular, there's something issued by the DOJ called the Federal Sentencing Guidelines for Organizations, which says, if you've been convicted of an offense, and you don't have a program, you don't get a reduction in your fine. And your reduction in your fine can be very, very significant. So these things pay for themselves. But I think, you know, the other thing to mention is, increasingly, a company's stakeholders will want to know that you've got a handle on this stuff, that you know what your risks are, that the staff are properly communicated with, that you're managing your risks in real time, and that your ESG, environmental, social, and governmental governance risk, is in the right place. And, you know, there will be pressure probably coming into the boards of all companies, or there should be, to make sure that they know where this stuff is. In this day and age, Mark, everyone should really have one of these things. Okay, well, in the last couple minutes we have, then I guess the question that maybe a lot of people are asking is, so do ethical companies, or companies that would be described as more ethical, or more compliant, or more highly governed, do they actually make money? Because it begs the question, right, if you're incomplete, right, then can you make money? Yeah, the answer to that is yes. I think there have been lots of studies on this, but the most recent, and actually the most accessible you can find, is one by a company called Ethersphere, which year over year it names its 20 most ethical companies. And what it did for the 2019 honorees was to say, right, actually we're going to go and look back, we're going to compare those 20 companies to a large cap index. And what it found was, for the 20 companies it named in 2019 as the most ethical companies, they outperformed that large cap index over five years by nearly 15 percent, and over three years by more than 10 percent. So this is, you know, people say, well, it does pay. And the thing is that there is science coming out on this, and you are able to show now that ethics does pay. I mean, there are lots of other things, you know, your employees are more productive because they are more prepared to invest their discretionary effort in the company, your consumers respond positively to you, your vendors and suppliers want to deal with more ethical companies, and you attract ethical investors. And the ethical investors at the moment are driving a big wage into the investment market, which is important. Thanks very much, Tim. Speak soon.