Home / 

Podcasts / 

Patrick Henz: What if I put $1 Million on Your Table Without any Controls? Would you Take It?

Patrick shares his valuable insights on the evolving landscape of compliance, shedding light on the challenges organizations face in staying compliant with ever-changing regulations. From data privacy to cybersecurity, he navigates through the complex web of compliance requirements, offering practical strategies and tips for maintaining a strong compliance program.

Through engaging anecdotes and real-world examples, Patrick emphasizes the importance of proactive compliance practices and the role they play in building trust and integrity within organizations. He also addresses the misconceptions surrounding compliance, debunking the myth that it’s merely a burden and showcasing its potential as a driver of success.

Patrick Henz started his career in the Corporate Information Office and Compliance at the end of 2007, when he was responsible for the implementation of the Siemens Anti-Corruption program in Mexico and several Central American and Caribbean countries. Together with these tasks, he gained valuable insights into global Compliance programs, with a focus on Latin America. Since 2009 in his role as Compliance Officer he is responsible for an effective Compliance program; based on identification, protection, detection, response & recovery and combined with integrity, respect, passion & sustainability. With these means, he defines Compliance as pro-active function, being perceived as guardian, expert and facilitator.

Kyle Morris: So a very warm welcome to everyone listening and thank you for joining another episode of Comply or Die. So our guest today is Patrick Henz a quick background. Who is Patrick? Well, firstly, incredibly distinguished, successful and hugely respected in his field of compliance. A few key, key points that he’s been in the compliance world for over 15 years, responsible for the developments and implementation of the Siemens anticorruption program in Mexico, amongst other Central American and Caribbean countries, has a focus on information and artificial intelligence. As well, a two time President of Honor recipients at Marcus Evanson’s Latin American Corporate Compliance Conference. That’s a bit of a tongue twister. And ranked 20th at Thomas roots’us. Top 50 social influences in risk compliance and regulatory technology. So, as I’ve said, what a background. And thank you, Patrick. Thank you for joining us today. A real privilege to chat to you. 

Patrick Henz: Hello. Thanks a lot, Kyle. It’s a real pleasure to be here with you and talking a little bit about compliance. 

Kyle Morris: Thanks Patrick. So obviously I gave a bit of an intro there, but I’d love for you to tell us a little bit more about yourself. 

Patrick Henz: Okay, let me see where I shortly start. Originally, I studied business economics, business adversity at the University of Cologne in Germany. Here already with a focus not only on marketing, distribution but also social and economic psychology which I think now thinking about it is a quite interesting preparation because compliance is not only complying with the law, because then it would be easy. We would just tell the people this is the law and this you have to comply with. But various times you have to motivate the people and also sometimes you have to protect the people even against themselves, as even good people can do some stupid things, especially when they are under pressure. So it’s a quite interesting combination related to the compliance functions. And then fast forward, I moved to Mexico City, where I finally entered Siemens. This was shortly after they had their global corruption problems. So I was responsible first for the implementation of the different compliance processes, tools, controls, et cetera. Of course, we received them directly from headquarters, but you had to adapt them to the Mexican reality and also adapt them to the relatives in the Central American countries, elscotmala El Salvador, Costa Rica, et cetera. After a while I stayed there being responsible for processes, and then I became responsible for the industry sector later on, also for infrastructures and cities. Then in 2013, I had the opportunity to join Siemens here in the US, where I became responsible for the different businesses here. And now I’m working in a different company and I’m responsible for Unrealistic approach, including governance, risk and compliance for the US. But also for Latin America, which is quite fascinating. 

Kyle Morris: Wonderful. Thank you Patrick. And I think some of what you touched on. There already were a few of the questions I had come in later with regards to what you find challenges in the space. And I know you touched on the people aspect and one that really stood out to me was how to actually get people motivated about compliance. So I think we’ll talk about that one a little bit more later. But it definitely sounds like it’s been a real exciting journey. So I mean the format and we’ve got some a bit of a Q and A style today that we’re going to run through with you. And I think maybe the great starting point is, from what you’ve said, what inspired you, what started all of it, what was the spark that made you want to be a compliance expert? 

Patrick Henz: I think maybe others already mentioned it wasn’t my idea to work later in compliance. Also, to be honest, as I’ve been studying in Germany and also started working in Germany, compliance was not really a big topic. Even more, as you may be aware earlier, it was still possible to reduce bribery costs from the Texas in Germany. So it wasn’t really a topic that people working in Germany had been very well aware of after I moved to Mexico, it was just that I’ve been at the right time at the right point or the wrong time at the wrong point. However you want to mention it, Siemens Mexico had to implement the compliance system. And as I was there, as, let’s say, an information it Implementation Manager with no project. Right at that moment, I got selected for this task, and after this I stayed inside the Compliance Department because it’s honestly very interesting work. Not only because it has somehow a social impact. So it’s not only that you ensure a sustainable business of the company itself, but also you see the positive effect on the society, especially if you are in a higher risk country where corruption is not only something abstract as for example here in the US. You know, there is corruption, you see it in the news, but it does not affect you in your personal life in opposite, for example, to Mexico. So I stayed there after the implementation. And besides the social aspect, it’s also very interesting because it’s one of the few positions where you have contact with everybody inside the company. So you have insights in all the different departments and not only stay in your departments or just really quite interesting.

Kyle Morris: Absolutely, I think that makes a lot of sense and like you say, the role itself progressed quite far from where you initially started and what you thought you were going to end up with. But from what I sort of see what you’re saying as well, there’s a large enjoyment from just the holistic side of the role and exactly, as you mentioned, not being dealing with just one department organizations as a whole and as that progresses. So, I mean, maybe touching on that point a little bit to say how has the compliance or compliance expert role evolved over the years is maybe a little bit broad because your role in itself, from where you started to being a compliance expert to a GRC role has maybe shifted quite a lot. But maybe from a high level, in your opinion, from getting involved in this field, how have you seen the role has changed over the year? 

Patrick Henz: Well, speaking first directly, based on my experience in Siemens here we implemented compliance as direct reaction to a corruption case. So you started, let’s say, as the policeman, but then over the years, the idea was to give back responsibility to the employees so that they really can take decisions based on their personal knowledge, values and also as there is again a higher level of trust. So we shifted a little bit from the control to the prevention being more this is the idea being the trusted adviser. This includes, of course, being the compliance experts, but also important that you have to have at least a basic knowledge what the company is doing. So you have to understand what are the real problems besides compliance, what motivates the employee to understand also how the company is earning its money, which is at the end, also the salary of the compliance officer and also, of course, you have to be a trusted colleague and this means that they not only see you as the policeman, but also as a trusted colleague which they can ask if they have questions before. So the idea is not to get into trouble in the first place. But of course you have to be from time to time. Also the policemen as they are, sometimes things not going as they should be. You always may have a black sheep, even if it’s less than 1% of your total employees. So also they have to see that you follow up problems and also that you ensure adequate answers. So that meaning nobody is above the law and everybody has to comply. I think this is a necessary change for all companies who implemented compliance directly after they had a bigger problem. In general, I think the compliance function is evolving. One big concept, of course, ESG. So not only complying with the law, but also with ethics, aligning the personal values of the employees with company values. Because not only generation C wants to work in an ethical company which is a good corporate citizen, but also the earlier generations. So having compliance aligned with social responsibility, which ensures sustainable business, reduces the rotation of employees and so on. So I think a lot of compliance function evolves into est. Another concept, also Holistic concept is what I already mentioned, GST. So to have compliance aligned with governance and risk which makes much sense because it’s somehow an expansion so first of all that you not only see the compliance risk but that you do the risk assessment for the whole company. And also important from my point of view is to ensure that internal process is independent if it is compliance or any other function, that they are as non bureaucratic as possible and as strong as possible. Ensuring that employees complying with all processes, not only directly compliance processes, but all processes. Because let’s say an example if HR processes are not efficient, if employees looking for the loopholes inside the travel expenses, HR regulations, et cetera, and they say this is working, they will show a similar behavior also looking for the loopholes inside the compliance processes and even look for the loopholes inside the anticorruption law. So I think TSC also is an approach which makes much sense for compliance to evolve into. It is wonderful. 

Kyle Morris: That’s an amazing answer. I think there’s so many really important aspects in there and I hope every one of the listeners get the same value out of it. That’s absolutely wonderful. Thank you. If we had to maybe single out one aspect, if it is possible, what would you say would be the one thing that an organization would want to focus on in terms of compliance?

Patrick Henz: If it’s just one thing I would like to mention and also, as it was, I think pointed out by the US. Government companies have to be aware of behavioral science. So it’s not enough to have just checked the box compliance system but you have to have knowledge about human behavior. Note that they are vulnerable for pressures. Also temptations for this, for example, the implementation of controls is also a question of ethics. Let’s say if I would put $1 million in cash on your desk without any controls, this would be a high temptation on you maybe to take away some hundred dollar or not. This would be quite human. And so that’s why you have to have this background in behavioral science. You have to be aware of the different biases which could develop into a tunnel view on ethical blindness that you have maybe the right personal attitudes, but due to the pressure of inside the project execution in the sales process, you somehow not comply with your own values anymore. So I think having knowledge about human biases, pressure of attic blindness, this is important to have efficient processes in place which include, of course, adequate training about ethical blindness that employees are aware of their own vulnerabilities. And also consider this for the implementation of your processes. 

Kyle Morris: I think what really stands out to me in that, Patrick, is if you think about the nature of this conversation and talking about compliance in organization, I think it’s very easy to look at technology and look at regulatory requirements. But like you’ve touched on so many times, the real important part is really unpacking the behavioral science like you made mention of and the psychology of how people act, I think intrinsically as their behavior goes with the example you made mention of. And this, I mean, really ties into the next question where I was going to ask you around. What do you see as the one or the biggest challenge that organizations face? But I would maybe take a guess and assume here, and I’d love you to elaborate on it a little bit. Is that the people aspect? 

Patrick Henz: Yeah, I mean, compliance at the end, it’s about the people, it’s about the employee. So yes, it’s always about the people. Even if it affects if it’s also triggered by regulations and by technology. One big risk is that we have higher risk countries. And so, for example, if I am, for example, in my situation, I’m here based in the US. Employees were going up in this country. Luckily, I’m not really had the experience facing this corruption which somebody, for example, growing up in Mexico, and I lived and worked ten years in Mexico, practically as a child, you get confronted with corruption, low level corruption, and due to this you develop some kind of defense system which people have in the US. Don’t have. So, for example, if regarding business, I send people, employees from a low risk country to a high risk country, it’s my obligation to prepare them a little bit for the situations which they have no experience in. It’s similar as Vaccination. So for example, coming out hopefully out of the COVID So we protected ourselves with the Vaccination. And due to this, also compliance trainings have to work as a Vaccination, which means also accordingly, I have to repeat them regularly. If not, people forget about it. And the other thing is, of course, technology working together with intelligent algorithms with AI, as you know, AI also is biased. We always see this when we discuss now the new AI created images, how they include biases. If we speak about GPT, which is able to create essays based on a question, these texts, these images, they are all biased. And we tend to underestimate these risks. Employees may perceive the AI as more intelligent, as themselves, for example. And then due to this, not challenge the size I’m getting from the computer or even they may perceive the AI as a higher level, similar to a manager because the AI was implemented by the decision of the CEO and they are afraid to challenge the decisions coming from the algorithm. Again, compliance is about the humans. So we have to ensure that our employees stay critical, they keep up the ability of human thinking. And this is, I think, another interesting challenge.

Kyle Morris: Absolutely. And I think even tying into that point, sort of forward looking and looking into what the future of compliance holds, maybe a few thoughts from you linking AI towards it. How do you see where we are now to the near and far future and what compliance will look like then? 

Patrick Henz: I mean, coming out of a crisis, normally it’s like this, you have to attend the crisis, whatever it takes. Meaning, I remember working in Siemens in 2008, for example, there had been no problems with the budget. I mean they sent you to go somewhere, they rented the biggest rooms at the nicest hotels for you. But after this problem was attended, compliance is facing the same cost pressures as all other departments. So we have to pressure reduce headcount for example. Of course we have to see which tasks could get automated and which cases tasks we still have to be executed by a human compliance officer. So we have to look in the future, I mean we see the development regarding virtual reality platforms. So for example, I can have my small little personal digital twin which employees for example could ask regarding questions normally on the website. You see, the first level of service could be an algorithm answering general questions and then only if they have something more complicated they would come to me. This could also be beneficial for some cultures where employees are afraid to ask because it may be like losing a face that they not know which process applies if you want to invite somebody, et cetera. So could be also beneficial. Of course we can use a little bit more intelligent web based training, especially the Compliance basic training. It’s normally not very interactive. When you are coming as a new employee into the organization, you receive a lot of information. Often you are still afraid to ask because they come in the big guys telling you what to do, there comes the compliance officer, they still don’t know you, they don’t know you are the police, the judge or just a good friend. So a lot of times the new employees are anyway afraid to ask. So it’s a quite one way communication. So this is something which you can for example automate with web based training. There you can include now also videos to make them interesting, but just still have something like a compliance quiz after the webbased that here you can bring in your personality as a compliance officer and as a positive atmosphere while you discuss maybe different scenarios so that they can get to learn who you are. In short, the topic also for compliance is to see what can I automate and where I still need to have the human compliance officer. 

Kyle Morris: Patrick, I think somewhere along the line you must have seen a script for today beforehand because basically every question you’ve answered has tied directly into the next one I wanted to ask. I thank you for that Grace, we’ve stayed on track. Wonderfully. And the last one that I actually did want to discuss was around the benefits and the value you see from automation in the compliance world going forward. But I think you really have touched on that already. Is there anything else you would want to add from the benefit you see of automation and compliance? 

Patrick Henz: Not from the benefit, but on the other hand, of course, the implementation of AI includes new risks. At the end, company is responsible for the behavior of its human employees, but it’s also responsible for the behavior of its AI. Let’s say if you have a chatbot on your website and it starts harassing your customers or you have an internal chatbot who would start harassing your employees, you are the same responsible if this would be a human employees. So we have now a little bit the question who in future will be responsible for the behavior of your algorithm? This could be, for example, compliance, because I’m free of some tasks which may lead two options. I may reduce my own headcounts or I look for new responsibilities. So a future responsibility for compliance could also be responsible for the compliance of your algorithms, especially if you have, for example, a chatbot on your website or you are going into virtual platforms, you’re having virtual characters representing the companies and so on. So they are fascinating new fields, as I’ve mentioned. Also, if I am offering a service situation of virtual pictures, virtual text, I also have to test them quite extensively if they’re not including biases, as we see today in various examples. 

Kyle Morris: Wonderful. Thank you, Patrick. A really key takeaway for me from that is just how the compliance evolves and goes down the proverbial rabbit hole, if we call it that, that you focused on compliance and now you’ve achieved compliance. So you’ve put in an element of automation and now you need compliance on the automation elements and so on and so forth. Thank you. That Patrick pretty much wraps up the questions. I really am so grateful for your time today. It’s been super insightful. It’s been wonderful to have you on the podcast. 

Patrick Henz: Thank you. Thanks for the invitation. And just at the last point, also listening to the earlier episode, I think one another positive thing working in compliance, it’s a role which is not that strictly defined, let’s say in opposite to an account and a project manager. So you can pretty much interpret a compliance role also based on your personal character. If you are more the type writing processes, if you’re more the type being in contact with the people, for example, traveling a little bit around with your salespeople, having talked with your customers, whatever. I mean the role you can pretty much interpret also based on your personal character. And of course, considering the particular needs of the different businesses and companies. Absolutely take it straight from you. 

Kyle Morris: Thank you, Patrick. Appreciate your time today. 

Patrick Henz: It was my pleasure.