Part I-Background

In late May, the law firm of Covington & Burling LLP (Covington), released its long-awaited report (Report) to the Special Committee of the Board of Directors of Uber Technologies, Inc. (Uber). It is truly one of the most unique corporate documents you will ever see. I want to review the Report and what it means for the Chief Compliance Officer (CCO), compliance practitioner and indeed the entire compliance profession.

...one of the most unique corporate documents you will ever see.

The Report was commissioned after Susan Fowler, a former engineer at Uber, published a blog post detailing allegations of harassment, discrimination, and retaliation during her employment at Uber, and the ineffectiveness of the company’s then-existing policies and procedures. The next day, Uber retained Covington “to conduct a thorough and objective review regarding “the specific issues relating to the work place environment raised by Susan Fowler, as well as diversity and inclusion at Uber more broadly.””

According to the Report, Covington conducted over 200 interviews with current and former employees who shared a broad range of perspectives; interviewed individuals with knowledge of Ms. Fowler’s allegations; employees who reported workplace environment-related complaints; employee representatives of Uber’s affinity and diversity groups, and current and former members of the Senior Executive Team.

The law firm also retained an experienced consulting firm to partner with them to convene and moderate anonymous, online focus groups with a statistically-significant percentage of Uber’s employees in the United States, gathering broad-based data about employee perceptions concerning Uber’s workplace environment and culture. Finally, the law firm conducted a document review that included searching databases containing over 3 million documents.

The Report is one of the most remarkable discussions of a complete workplace culture disaster that has ever been rendered for a multi-billion business. If you changed some of the business and legal language, you might well think you were reading a report on Animal House or some similar hard-partying fraternity from the 1970s or 1980s. Regardless, the state of culture, governance and internal controls at Uber can only be described as beyond abysmal.

...you might well think you were reading a report on Animal House or some similar hard-partying fraternity from the 1970s or 1980s

Some of the more salacious highlights included recommendations to prohibit “non-prescription controlled substances” (i.e. illegal drugs) “during core work hours, at work events or at other work-sponsored events.” Similar but additional prescriptions were recommended for alcohol use during “core work hours”, at company events and during company travel. Finally, the advice that “Uber should also encourage responsible drinking.”

Similar to the Shearman & Sterling report to the Wells Fargo Board of Directors, the Uber Board comes in for some direct criticism. In the area of corporate governance, the Report advises that the Board should have greater independence and the “additional Board members should be directors with meaningful experience on other boards who can exercise independent oversight of Uber’s management.” The Report also recommends Uber install an independent Chairperson who, “could address several of these recommendations, particularly the need to serve as an independent check on Uber’s management and the need to demonstrate to Uber’s employees, partners, and customers that the Board is taking the investigation and the need for governance reform seriously.”

The Report also stated the Board “could create an Ethics and Culture Committee” which would “oversee Uber’s efforts and enhance a culture of ethical business practices, diversity, and inclusion within the organization. The activities of the committee could involve meeting with senior members of management who are responsible for ethics, Compliance, Human Resources, and risk. This committee could establish and monitor metrics that are intended to measure compliance with Uber’s business values, and the promotion of an ethical and inclusive environment.” Yet apparently, there is so much work to do at Uber, the Report recommended, “Alternatively, this committee could focus solely on Uber’s remediation of recent issues.”

At the Board of Directors level, an Ethics and Compliance Committee can devote itself exclusively to non-financial compliance, such as setting a company’s ethical business culture and compliance with it going forward. While many companies have fulfilled these obligations through an Audit Committee, clearly the better practice is to have a separate Compliance Committee. The reason is clear, that compliance has become not only central to any well-run business but it is critical to overseeing a wider variety of risks than the typical Audit Committee has experience with, which is usually only aimed towards financial risks. The Board Compliance Committee should begin its inquiry with a basic: ‘How do we know it is working?’ and go forward from that point.

The Department of Justice (DOJ), has continually talked about the need for companies to operationalize their compliance programs. Businesses must work to literally burn compliance into the fabric and DNA of their organization. Having a Board member with specific compliance expertise, heading a Board Level Compliance Committee can provide a level of oversight and commitment to achieving this goal. It will not be long before the DOJ and Securities and Exchange Commission (SEC) begin to require this step in any Foreign Corrupt Practices Act (FCPA) enforcement action resolution. Under the factors set out in Prong Three of the FCPA Pilot Program, entitled “Oversight – What compliance expertise has been available on the board of directors?”, you need to have not only the structure of the Board Level Compliance Committee but also the specific subject matter expertise (SME) on the Board and on that committee.

Finally, recognizing that compensation can be a powerful motive to induce ethical and even business appropriate behavior the Board recommended that it use compensation to hold senior executives accountable by “incorporating ethical business practices, diversity and inclusion, and other values from Uber’s Business Code of Conduct into its executive compensation program. This compensation program would be coupled with training on the company’s revamped ethical business practices, diversity, inclusion and other key corporate values.

Both the DOJ and SEC have long recognized, as they stated in the FCPA Guidance, “positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.”

The power of an ethics and compliance compensation plan can act in ways that support a start-up’s evolving business model and overall strategy going forward. The Report recognizes that the first job of the Uber Board will be to change the company’s culture to make ethics and compliance more important and then burn it into the fabric of the organization. Making it a part of compensation can assist in doing so.

Part II: Internal Controls

Next I want to look at the internal controls aspect of the Report. According to the International Federation of Accountants, “Proper risk management and internal control help organizations understand the risks they are exposed to, put controls in place to counter threats, and effectively pursue their objectives. They are therefore an important aspect of an organization’s governance, management, and operations.” Internal controls not only help companies recognize the risk they face but also work to protect against that risk. The Report listed several different areas of risk at Uber where internal controls could help in both areas.

A. At the Board

The Report noted the Uber Board “should take steps to enhance the size, role, and independence of the Audit Committee” believing the Audit Committee could be enhanced through expansion to include more independent directors and a clear articulation of the oversight role that the Audit Committee is intended to play. Some of the key “potential roles that the Audit Committee could play is to have a direct reporting line from Uber’s Compliance organization, an appointed ombudsman, and/or Uber’s internal auditor.” Most interestingly, the reason for “this structure would be to ensure that the person(s) playing those roles will have the ability to bring significant compliance or harassment issues to the attention of the Audit Committee without having to go through management or the CEO.” It ended with the notation that the Audit Committee should be empowered to oversee the final resolution, including commissioning a full investigation, if warranted.

This paragraph is fairly remarkable when you consider this final recommendation, basically that employees must be protected from both senior management, up to and including the Chief Executive Officer (CEO). It also specifies reporting lines from compliance and internal audit up to the Board. While you might not recognize reporting lines as an internal control, such are clearly contemplated in the COSO 2013 Internal Control Framework Update. Under the first objective, Control Environment; Principle 3 - Structures, reporting lines, authority and responsibility, a company must consider all the structures throughout an organization and then move to define the appropriate roles of compliance responsibility. This Principle also requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.

B. Policies and Procedures

As dull and mundane as policies and procedures may seem, in reality, they form the backbone of a culture of compliance. The Report makes clear “Uber should take steps to enhance its internal controls with respect to policy compliance.” With yesterday’s notation that illegal drug use and excessive alcohol consumption during working hours it is probably no surprise that the company had similar problems during company-sponsored travel.

One might reasonably wonder how any auditor would approve reimbursement of business expenses where receipts were not provided.

The Report stated, “In particular, Uber should review its policies and procedures with respect to travel and expense reimbursements and enhance such policies to ensure that items that are inconsistent with Uber policies and procedures are not reimbursable and not reimbursed, and that proper controls are put in place to ensure compliance.” Rather amazingly the level of control detail went down “into the weeds” to expense reimbursement, stating “these procedures should require that Uber personnel at every level of the organization submit receipts as a condition to receiving reimbursement.” One might reasonably wonder how any auditor would approve reimbursement of business expenses where receipts were not provided.

Finally, the Report recommended training, stating “Uber should provide training to senior management and other employees regarding these new policies and procedures.” Training and communications more generally are always listed as a component in any best practices compliance program. Yet here it is listed as an internal control. The effect is not only to put employees on notice of the enhancements but also to set the standard which must be followed.

C. HR Internal Controls

One thing the past year in the Foreign Corrupt Practices Act (FCPA) enforcements has taught the compliance profession is the need for internal controls around the Human Resources (HR) function. The JPMorgan Chase and Qualcomm FCPA enforcement actions were replete with non-existent HR internal controls, failures of HR internal controls and over-ride of HR internal controls by non-HR executives. While the Report did have some recommendations around hiring controls, it focused on keeping track of the employment agreements the company had with its employees, stating “All settlement and separation agreements with employees should be logged and tracked to ensure proper record-keeping, compliance with the agreements, and consistency in terms.”

The Report was even more damning around the company’s HR function in its core function of preventing discrimination and harassment. It was clear from the blog post by Susan Fowler back in February, which led to the retention of Covington, that the Uber HR function acted as department to protect those alleged to have engaged in discrimination and harassment. So not only did the Report posit better tracking of complaints but also personnel records and employee data. One can only imagine what type of slipshod HR function existed at Uber where the company must be told to keep better track of personnel records. The Report had the following (almost chilling) recommendation that “Uber should also emphasize the importance of record-keeping to all Human Resources staff, and impose consequences for failure to adhere to record-keeping requirements.”

How bad was the environment for discrimination and harassment? This section of the Report gives a hint when it noted HR internal controls should “easily identify whether prior complaints have been lodged to ensure that appropriate action is taken with respect to repeat offenders. Likewise, organizations or managers give rise to multiple complaints such that intervention with the manager is needed.”

The lack of and failure around internal controls at Uber tells quite a sordid tale. Yet the Report makes clear the importance of internal controls in turning things around for the company. For the compliance practitioner, the Report is a useful way to consider the internal control regime in your company and how it can work to operationalize compliance in your business.

...the underlying toxic culture at Uber was laid bare to the public in this most 21st century of communication tools.

Part III: Going Forward

The public starting point for the collapse of the company was a simple blog post back in February by a former Uber employee Susan Fowler, who wrote about, “allegations of harassment, discrimination, and retaliation during her employment at Uber, and the ineffectiveness of the company’s then-existing policies and procedures.” I find this starting point to be significant in the consideration of risk management in the 21st century corporation as it is the first time a blog post wrought such changes in a corporation.

To be sure, it was only the starting point but the underlying toxic culture at Uber was laid bare to the public in this most 21st century of communication tools. Every CCO and indeed senior executive and Board Director must understand that the days of corporate opaqueness are long gone. If one blogger can unleash such forces, it means that companies must be operated ethically, in compliance with laws and regulations and with transparency. Compliance also needs to be inculcated into start-ups far earlier than is usually done, where it is almost an after-thought.

One of the key questions I have been mulling over is whether Uber could have achieved its meteoric growth, multi-billion-dollar market cap valuation and industry leader without its frat-boy culture. By pushing the boundaries, Uber took on as an entrenched industry as there is literally across the globe, the taxi industry. In every city and country such industry is highly regulated and at least in the western world there are very high barriers to entry. Uber claimed its drivers were not cabbies and not subject to these barriers to market entry. When cities put regulations in place to attempt to control the company in their city, Uber simply out-maneuvered them. This is what happened in Texas where Austin set up regulations which Uber did not like so Uber simply got the more Uber-friendly Texas legislature to pass a law which said only the state could regulate ride sharing companies.

But Uber did not seem to ever get over its bad-boy attitude and grow up to act like a real company. Brooke Masters, writing in the Financial Times (FT) Companies column, in a piece entitled “In corporate culture, as with fish, rot starts at the head”, said the Report “shied away from asking the most important question: how did Uber grow to be the world’s most valuable private technology company, worth $62.5bn at the last fundraising, without addressing some of these issues?” She answered her own question with following, “as with fish, corporate rot starts at the head. Since 2009, Mr Kalanick has led the company with a hard-driving, take-no-prisoners approach to everything, from competitors and regulators to his own staff.”

After the incidents detailed in the Report and Chief Executive Officer (CEO) Travis Kalanick’s well known outbursts and public meltdowns, there was even one more event to demonstrate just how rotten Uber is at the top, even now.On Tuesday of last week, only seven minutes into the Board’s presentation of the Report, the Board’s full acceptance of the Report’s recommendations and steps going forward to Uber employees, the New York Times (NYT) reported the following exchange took place, “In front of employees, the board member Arianna Huffington talked about how having one female director typically leads to more female directors. David Bonderman, a fellow board member and a founding partner at the private equity firm TPG, replied that adding more women to the board would result in “more talking.”” The article went on to note, that the “remark left people aghast, according to those who were there”. Sexism is not much more public and repugnant than Bonderman’s remark. He resigned from the Uber Board of Directors the next day.

The starting point for the turnaround of the company was the removal of founding CEO Kalanick, who took an indefinite leave of absence after the release of the Report. Unfortunately for the company he did not appear to cede controls as he appointed no person to fill his role rather, as Masters noted, “Instead, all 14 of his “directs” will share responsibility and he remains “available as needed for the most strategic decisions”. He clearly plans to come back: “If we are going to work on Uber 2.0, I also need to work on Travis 2.0.””

Based upon the Covington investigation some 20 employees were fired world-wide, including the India country manager who had surreptitiously obtained the medical records of a woman who alleged she was raped by an Uber driver. The departure also included one of Kalanick’s closest confidants, Emil Michael, the (now former) Senior Vice President of Business at the company. Further, Uber currently has no formal No. 2, no Chief Operating Officer (COO), Chief Financial Officer (CFO), General Counsel (GC), Chief Marketing Officer, Senior Vice President of Engineering or Chief Diversity Officer. It probably should go without saying the company does not have a CCO or anyone who might be responsible for ethics at the company.

As is often the case, it is the editorial board at the FT which has some of the best advice for businesses, both in the UK and the US. In a piece entitled “At Uber, counting the cost of winner take all” the paper said, there are three groups which can influence the behavior for Uber going forward: the company’s owners, largely Kalanack and his cronies; the Board of Directors, think about Bonderman at this point; and its customers, IE., you and me. As to the final group, we can vote with our pocketbook by changing over to other ride-sharing companies such as Lyft.

Most importantly, the Uber ownership structure is a forbearer of ownership being concentrated in the hands of a few key founders. If they do not put compliance and ethics into the ethos of the company at an early phase, they cannot be forced to do so by shareholders or investors. This anomaly will make independent Boards of Directors more critical for getting such companies ready to go public. For if such companies cannot meet the requirements of a public company, everyone loses.