ResearchPDF Available

TELIA Case Study Addressing (ir)responsible business behavior

Authors:

Abstract

This case provides an example of how (ir)responsible business behaviour was addressed in a Swedish tele- communication company. The company was in a mode of crisis after allegations of bribery and human rights violations in its Eurasian business. The change process covers the creation of and Ethics and Compliance function that had as its purpose the development of a framework for compliance with a particular focus on the design and implementation of an effective anti-corruption program. This case is written within the framework of a research project that explores the linkages between responsible leadership, sustainable business, innovation, and growth in Swedish-based corporations with a global outreach. The case is aiming for new insights regarding how to create a methodology to implement responsible business behaviour
TELIA Case Study
Addressing (ir)responsible business
behavior
Ingalill Holmberg
Anna Romberg
Stockholm School of Economics
December 2018
2
About the Authors
Ingalill Holmberg is Professor in Business Administration at the Stockholm School of Economics (SSE).
For more than two decades she has been the Director and Research Leader at the Center for Advanced
Studies in Leadership at SSE. In these years she has initiated and managed a broad spectrum of
research projects in collaboration with corporate partners and internationally recognized scholars. She
is the author of numerous articles and books on management and leadership. Her most recent work is
on responsible business and responsible leadership.
Anna Romberg has a Master’s degree in Business Administration from Åbo Akademi. She is a PhD
student at Åbo Akademi and a compliance professional with extensive experience in auditing, corporate
governance, and compliance management. She is researching these subjects in her doctoral studies. At
Telia, she was responsible for the Global Anti-Corruption Program. She was also the regional ethics
and compliance officer for Telia’s operations in Eurasia. She has subsequently worked as Chief Ethics
& Compliance Officer at a Finnish multinational company.
© Ingalill Holmberg, Stockholm School of Economics, and Anna Romberg, Åbo Akademi University
3
Introduction
This case describes how responsible business was addressed at TeliaSonera, subsequently renamed
Telia Company (Telia).
1
The company was in crisis mode in 2012 and 2013 following media allegations
of bribery in its activities in Uzbekistan. Telia appointed a new Board of Directors (hereafter, the
Board) that elected a new Chair at the Annual General Meeting (AGM) in April 2013. A new Chief
Executive Officer (CEO) joined the company in July 2013. There were ongoing internal investigations
into Telia’s operations in Eurasia by the English law firm, Norton Rose Fulbright (NRF), that reported
to the Chair. The Chair and the CEO set a determined tone and communicated their intention to guide
and fully support the transformation of the company into a responsible and sustainable business. In
September 2013, the new Chief Ethics and Compliance Officer (CECO) joined the company and was
instructed to create an Ethics and Compliance (E&C) function that had as its purpose the development
of a framework for ethics and compliance programs and specifically the implementation of an effective
anti-corruption program.
2
At Telia, this work was referred to as Responsible Business.
3
This case, which covers a period of three and a half years, describes the hard work at Telia, guided by
the new CECO, that involved people at all company levels as well as external professionals,
sustainability managers, ethics and compliance officers, investigators, compliance specialists, lawyers,
journalists, and regulators. Summarizing the process, the CECO states:
“It was a journey where not all answers were clear from the outset. A journey of over three and a half
years with unexpected challenges, mistakes, and new insights from which we developed a framework
and a methodology for enhancing responsible business at Telia.”
Grasping the reality
In April 2012, the Swedish investigative TV program, Uppdrag Granskning (UG), broadcast an episode
that described how oppressive governmental regimes in some Eurasian countries (mis-)used the
telecom networks operated by Telia´s subsidiaries and associated companies. The allegations were that
Telia contributed to human rights violations in some Eurasian operations where the authorities had
direct access to the networks and were using this access to threaten and oppress people with differing
opinions or who were otherwise critical of the regimes.
In September 2012, UG broadcast yet another episode about Telia and its business in Eurasia. This
program alleged that Telia had paid billions of Swedish crowns (SEK) to a company owned by a young
fashionista in Gibraltar (Takilant) in exchange for licenses in Uzbekistan. The program claimed that the
ultimate beneficiary behind Takilant was, in fact, the daughter of the Uzbek president. She had
obtained the licenses by using her connections and considerable influence to acquire the valuable
1
This case was developed within the framework of a research project that explored the linkages between responsible
leadership, sustainable business, innovation, and growth in Swedish-based corporations with a global outreach. The purpose
of the project was to describe how responsible business behavior appears in everyday work and practices.
2
This text is based on round-table seminars, interviews, and documentary data. The perspective is that of the ethics and
compliance professional.
3
Other corporate initiatives were taken that addressed sustainability at the company. These initiatives are not discussed in
this case.
4
licenses at a very low price from the Uzbek government.
In response to increasing criticism and pressure, Telia began an independent investigation to be
conducted by the law firm, Mannheimer Swartling, (MSA). Telia agreed to make the results of this
external review public. At the same time, the Swedish prosecutor announced that he would open a
criminal investigation into the matter. By December 2012, Telia’s management was still denying the
allegations. Telia’s management was convinced that the ongoing investigations and legal process would
show that the suspicions of criminal activity were unfounded. The independent review from MSA was
released on February 1, 2013. MSA held a press conference and, contrary to Telia’s expectations,
expressed serious criticism on several points. MSA found no evidence of bribery or money laundering
under Swedish law based on the information available. However, MSA could not state that there was
no bribery and that the crimes the media and the Swedish prosecutor had described should be
dismissed by virtue of its inquiry.
“If one carries out business in a corrupt country, one should quite simply be more thorough than
TeliaSonera has been … If one doesn’t know who a counterparty is, nor how a counterparty has
obtained it acquired assets, it would seem difficult to ensure that corruption has not occurred at some
step along the way.[MSA press release, February 1, 2013]
The CEO consequently announced his resignation. The current CFO was appointed as acting CEO.
Although there was considerable harsh, public criticism by important shareholders and by the Swedish
government, Telia continued to see itself as a victim of unfair media attention. Telia issued a press
release in which the company pointed out that although the MSA investigation had identified several
signs of corruption and some deficiencies in risk mitigation and controls, Telia’s Board and
management were convinced that the company had not committed any crimes. There were numerous
red flags, but no smoking gun.
Getting to work
At the AGM in April 2013, the shareholders elected a new Board that then appointed a new Chair. The
Chair employed an English law firm, Norton Rose Fulbright, to investigate Telia’s business practices in
countries in Telia’s business region of Eurasia. The Board employed a new CEO who joined the
company on the 1 July 2013. The acting CEO returned to his former position as CFO. On September
1, the new Chief Ethics & Compliance Officer (CECO) began her new job.
The new CECO’s assignment was to implement an Ethics & Compliance program with a specific focus
on Anti-Bribery Corruption (ABC). The recruiter’s job description of the CECO position was very
professional in its listing of the cornerstones of “effective” ABC Programs. The new CECO states:
“We suspected that very few people in Telia management, or on the Telia Board, actually at this time,
knew in detail what an “effective” ABC Program entailed.
However, it was agreed that change at Telia was necessary and that the focus on ABC was very
important. Telia, without delay, should inform investors, shareholders, analysts, and journalists
which actions it planned to take to regain trust and to rebuild the company’s brand. An E&C
function and an effective ABC Program were important parts of this effort.
5
At this time, in 2013, there was ambiguity concerning which legal and ethical risks required attention.
Lawyers wondered if all the legal risks required compliance programs. Some lawyers speculated that
journalists influence compliance agendas on risks, especially when the media shines a spotlight on new
risks. The situation seemed confusing, overwhelming, and unsatisfactory. Many lawyers asked: Is the
E&C a function or a methodology? Is the E&C a “layer of defence” or something else? Could E&C be
separated into Compliance and Ethics (the latter, more a voluntary issue)? There were, and still are,
different answers to these questions. However, the new CECO was crystal clear:
Compliance cannot be separated from Ethics. Ethics is not an extra layer of protection on top of
legal requirements. Ethics is the foundation of a society´s common values system and its legislation.
Consequently, to grasp the full concept of Responsible Business, a company needs to go beyond legal
obligations.
The work began at Telia with identifying and examining which areas/topics of behavioral risks Telia
had and which areas/topics should be subject to effective compliance. The E&C team at Telia had a
running start because the journalists had already called attention to many risks in their reporting on the
company. In fact, the corruption risk and, to a lesser extent, the risk to freedom of expression and
customer privacy were already media scandals. The E&C team quickly identified ABC and Freedom of
Expression and Customer Privacy as important topics. The latter topic is especially important for a
telecom company. Another topic, Occupational Health and Safety, was added because the new
management wanted to prioritize this area of responsible business. The CECO recalls:
“At this point, it was quite clear that the corruption risk was not only a behavioral risk because the risk
already had significant reputational impact and could have severe legal consequences (evidenced in
Sweden at the time) and financial consequences (should the legal risks materialize - the fines in cases
outside Sweden could be very high) as well as business continuity risk (could the company continue
operating in this region?). In many experts´ opinion, the risk of bribery and corruption is also a human
rights risk (or a societal risk, as Telia today describes it) because corruption and kleptocracy are
effective blocking points in the protection of all human rights.”
Initially the E&C team prioritized the anti-bribery corruption program (ABC Program) because a well-
crafted ABC Program would benefit other topics linked to responsible business. The CEO states:
“To prevent corruption, an effective ABC Program is a minimum requirement for any company, small
or large, global or local, regardless of nationality.
Drawing on her international experience, the CECO decided to take a global approach. The
framework, described in detail below, addresses the “effective” compliance that a company is required
to demonstrate that it exercises when examined by a regulator or authority, such as, for example, the
Department of Justice (DOJ) in the United States (US). At that time, however, there was no indication
that the US authorities planned to investigate Telia. The framework was then approved by Telia’s
management and Board. Eight months later, the E&C team learned that the DOJ, the US Securities
and Exchange Commission (SEC), and Dutch prosecutors had initiated investigations into Telia and its
dealings with Takilant in Uzbekistan.
4
4
In the US, the FCPA (Foreign Corrupt Practices Act), which identifies and describes certain corporate crimes, enables the
DOJ and the SEC to investigate these crimes and approve effective compliance programs.
6
Ethics and Compliance a framework for Responsible Business
The E&C framework at Telia, which has ten cornerstones, describes what regulators and compliance
professionals refer to as “effective” compliance or “adequate procedures.” Effective compliance at the
highest corporate level aims to prevent wrongdoing, detect wrongdoing, investigate wrongdoing, send
warning red flags, and provide remedies. Telia’s compliance framework, which takes an
uncompromising tone emanating from top company management, specifies root causes of
wrongdoings and proposes remedies.
More specifically, the ten cornerstones
cover activities such as; thorough risk
assessment (to identify and understand
potential risks), setting up an organization
and a governance structure for managing all
aspects of responsible business, install
policies, instructions and guidelines to help
managers and employees to develop and
sustain an ethical working practice, as well
as providing training sessions on anti-
corruption and other responsible business
topics. Other activities focus on developing
and implementing processes for due
diligence of third parties, securing a Speak-
Up line where misconduct can be reported,
and procedures for preventing retaliation.
And finally, in order to provide remedial
actions, which include corrective and disciplinary actions, a Special Investigations office has to be
established. Placing “tone at the top” at the core of the framework signals that an effective compliance
program requires that a company’s top management and its board of directors understand and support
all aspects of effective compliance.
Telia’s framework for effective E&C, introduced during Fall 2013, was well received and was
subsequently used in numerous presentations to the Board, management, investors, journalists, other
ethics, compliance and sustainability officers, the SEC and DOJ in the US, and the Swedish and Dutch
prosecutors. Since expectations were high, the E&C team experienced, from the very beginning, much
pressure to show results. The team struggled with how to describe and measure progress. Similarly,
Telia’s management and the Board were pressured to explain the actions taken to deal with corruption.
Because the company had committed to regaining trust and to rebuilding its brand, people thought they
had the right to know which promised changes had been made. The shareholders, the creditors, and
the analysts especially claimed this right. The CECO recalls:
“Sometimes we felt we did not have time to actually do things before we were supposed to present the
results.”
7
Although the framework was widely accepted at Telia, some people argued it was too complicated,
took too much time, and required too many resources. Others argued it was too US-oriented with its
disproportionate focus on the risk of corruption at the expense of other behavioral risks. Even when
the demand to show ethics and compliance results decreased, such arguments were still occasionally
raised at different levels in the company.
Acknowledging that there may be different views on how to address responsible business, the CECO
states:
“This is in fact a very simple framework for how to practically implement commitments to
responsibility and business ethics in a company.
However, during the implementation of the framework, the E&C team learned that the process caused
friction at all company levels and raised other issues that required prioritization. These requirements,
which meant difficult decisions had to be made transparently, ultimately tested the robustness of Telia’s
management. Eventually, when the E&C team realized that frictions were a necessary part of the
implementation process, they were addressed in the framework. (See Appendix 1 for examples of
friction).
Remediation
Remediation describes the process of fixing a problem. Remedial actions, which include corrective and
disciplinary actions, are important features in an effective compliance program. Telia’s CECO knew
that the first questions posed by regulators or prosecutors would address which remedial actions the
company had taken when charged with ethical violations and/or legal crimes.
The E&C team began by examining the crisis and “what had gone wrong.The company had the two
reports from the lawyers: the MSA report on the Uzbekistan activities that had a lot of useful
information and the NRF report on the investigation at the “entry level” (how Telia had entered the
markets and structured its ownership) in the other Eurasian markets. In November 2013, NRF
presented its first report that described some very troubling and questionable business transactions in
other Eurasian operations. The new CEO, who had been at the company for only a few months, knew
he had to part ways with four senior leaders in the company, including the CFO and the former head
of the largest business area, Mobility (formerly Head of the Business Area of Eurasia). Telia publicly
stated that its problems, unfortunately, were not unique to Uzbekistan. Indeed, Telia had a pattern of
unethical, possibly unlawful, business activities in Eurasia.
In addition to these investigations (by MSA and NRF), the E&C team conducted its own examinations
in the countries where Telia operated. These examinations included risk assessments of Telia’s
operations in each country. The problems were identified. Now it was time to fix the problems.” The
Head of the ABC Program made a list a long list of necessary remedial actions. The list was an
action plan specifying needed actions and identifying responsible persons. Owners of the actions came
from all levels of Telia: the offices of the CEO, Finance and Control, Legal & Regulatory,
Procurement, Internal Audit, Corporate Development, and Sales and Marketing, plus the Ethics &
Compliance team. The list, which was initially monitored on a weekly basis, meant some proposed
actions received more attention than others, depending on the urgency and risk associated with them.
8
For a period of time, the action plan was a recurrent Board agenda item. The Head of the ABC
Program had many intense discussions with the owners of the proposed actions.
At this stage, given the pressure within the company, most people were aware of the urgent need to
take action. They did not object to “being ordered about” by the E&C team. By Summer 2014, Telia
had also received letters from the DOJ and the SEC requesting information on Telia´s activities in
Uzbekistan. The Telia office in Amsterdam had been dawn-raided by the Dutch prosecutor. When the
US authorities took an interest in Telia’s business, the CECO and the Head of the ABC Program
immediately realized that at some point in the future they would be held accountable for the design and
effectiveness of the ABC Program.
The Head of the ABC Program recalls:
“It took us a week, working around the clock in an isolated conference room, to make the list. We
actively used the framework of Ethics & Compliance and did not shy away from listing actions, down
to every detail.”
There were no more additions to the initial remedial actions after two years had passed, but with new
investigations (see Special Investigations, Disciplinary/Corrective Actions) still another set of remedial
actions were added. The Head of the ABC Program remarks:
“It is a continuous exercise of perseverance where you have to stick to the program. Everybody who
works in compliance or has learned the hard way in a scandal like the one at Telia knows how hard
this is and how much dedication it takes to stay with the program.”
Risk assessment
The fundamental principle of any compliance program is thorough risk assessment. The purpose of
risk assessment is to identify and understand potential risks and then to create a program that will work
in practice and that will allow the company to do business in challenging contexts. In short, risk
assessment requires understanding the internal and external context and conducting dialogue with
parties within and outside the organization.
Analyze and understand your own company and business
At Telia, risk assessment began with an examination of the company’s many ownership/legal structures
and their governance. This work revealed the existence of quite complex and intertwined structures as
well as contradictory and variously delegated governance systems. The E&C team understood that the
business activities in Eurasia operated differently from Telias other activities. The CECO describes the
situation:
The business region of Eurasia was surrounded by rumors of undefinable threats and by security
concerns . . . the regional and local managers in Eurasia were treated differently; they were “heroes”
who had “delivered” unmatched growth during recent years while working in a “hostile”
environment. They must not be “disturbed.” We were told that the environment was just too difficult,
with somewhat arrogant disdain, for us to understand because things “were done differently” in
Eurasia.
Telia´s managers in Eurasia rarely visited Stockholm. Their powerful regional head office was in
9
Istanbul. In fact, the Internal Audit function of the Eurasian operations was not always integrated with
Telia’s central Internal Audit function. When attempts were made to enlarge the company’s audit
scope, the central Internal Audit function was encouraged to tread with caution” and not to
“interfere” with the Eurasian “business.Continued growth in Eurasia, it was argued, was essential for
Telia.
Another observation was that many managers and other employees who were not involved with the
Eurasian business viewed the issue of irresponsible business practices solely as a “Eurasian” problem.
They thought it was an issue that had little or no relevance for them, for the business in other
countries, or for group management. They thought it was unfair that all of Telia suffered because of a
few individuals who worked far from Sweden. Some of them thought the Swedish business community
and media had a poor understanding of how business “was done” in Eurasia. In their opinion, Telia
was the victim of moral panic and hostile media coverage. The CECO comments:
“What was forgotten in these discussions was that the critical, and now severely questioned, business
decisions were made at the headquarters in Stockholm.
She adds:
“In hindsight, we did not properly understand nor deal with the resistance from leaders and
employees who still worked under the control and guidance provided by “old” management. Others
thought that, because Telia now had a new Board and new management, everything was in order. The
“bad guys” were gone. That assumption, as events later revealed, was somewhat premature. There was
still a lot of hard work ahead.”
Analyze and understand your external context
It is important for ethics and compliance professionals to understand how to do business in their
companies’ foreign markets. This means understanding how to structure and resource compliance
work. At Telia, the E&C team conducted extensive risk assessments of the countries and institutions in
Eurasia, guided by the ABC Program. When the team conducted the operational risk assessments in
these countries, they learned how internal work processes were used to manage the various external
pressures.
The Head of the ABC Program and another E&C expert conducted the operational risk assessment in
the first year when they travelled to the Eurasian countries where Telia had business activities. They
met with the local managements. They examined specific areas of corruption risk in the business
operations in these Eurasian countries. They examined leadership, governance structures, interaction
with local boards and local shareholder(s), human resources practices, import duties, use of
agents/distributors, conflicts of interest, procurement policies and processes, financial controls, bank
relationships, processes for donations and sponsorships, and M&A activities. These were only some of
the areas examined.
In 2015, the E&C team conducted risk assessments in countries outside Eurasia. The team developed
a tool with MSA that helped local management make the risk assessments without the physical
presence of a representative from the E&C team. The Head of the ABC Program states:
“The initial work was substantial and made it possible to streamline our efforts later on. Also, the initial
work raised the level of risk awareness among local managers and made the risk more visible and
10
actionable.”
Telia’s Communications Department arranged several meetings/briefings with various stakeholder
groups (e.g., owners, potential investors, creditors, analysts, interested NGOs, journalists, and
employees). These groups met the new CEO, the executive management team, and the E&C team.
These “dialogue meetings provided an excellent opportunity for Telia to learn more about these
stakeholders´ concerns and what they thought the compliance work should focus on. The CECO
explains:
“A well prepared and thorough stakeholder dialogue is a very helpful tool for understanding a
specific context and its behavioral risks. As employees are one important stakeholder, we included
employees from different levels and groups in the dialogues.”
Understanding the effects on human rights
Companies are expected not only to act responsibly in a general sense, but also to understand the
effects of their business activities on human rights. Therefore, many companies conduct a Human
Rights Impact Assessment (HRIA). This assessment, which engages people from inside and outside a
company, aims to increase awareness of how a company may abuse the fundamental human rights of
people within its sphere of influence. A HRIA emphasizes that human rights are not separate from
business. Companies are responsible, with governments, NGOs, and other individuals, to respect the
rights of all people. A HRIA also supports the claim that behavioral risks often can result in violations
of human rights. The CECO states:
“Responsible business is based on an understanding that true change does not arise from fear of legal
proceedings, fear of the media, and/or fear of personal disgrace. True change will only occur if people
want to do the right thing because it is the right thing to do. Change will only truly occur if people
take this lesson to heart and understand why their acts and decisions matter.”
During 2015-2016, in cooperation with an internationally-recognized organization, Telia conducted
HRIAs in all countries where it had business activities. These assessments, which were well received,
addressed leadership in the countries and the different company group functions. After lengthy internal
discussions where different opinions, agendas, and priorities were in focus, the reports with their
recommended remedial actions were published (in summary form) in the Annual and Sustainability
Report for 2016. By contrast, the 2012 HRIA report for group level Telia had only a passing mention
in the Annual Report for 2012.
Organization
Implementing responsible business, in general, and in an ABC Program, in particular, requires that an
organization has the competence and confidence sufficient to manage all aspects of such a program.
Accordingly, the E&C function has to have a leader and team members with relevant competence,
experience, and, in some cases, professional seniority. The CECO comments:
The CECO should report to a level in the organization that has proper authority and integrity. If the
company has problems with the regulatory authorities or with the prosecutors, those authorities will
not be impressed if the CECO does not have direct access to the CEO and cannot report
independently to the Board or one of its subcommittees.”
11
Telia’s CECO reported directly to the CEO. The E&C team attended meetings held by the Board’s
Sustainability and Ethics Committee and by the Audit Committee.
At Telia, the functions of management control, compliance, and auditing were prioritized as the
company began implementing company-wide strengthened controls, improving compliance systems,
and introducing responsibility for ethical business practices. Moreover, given the involvement of the
DOJ and the SEC, the most rigorous regulators in the world, Telia’s top management understood that
every aspect of its anti-corruption program would be scrutinized and evaluated.
The Head of the ABC Program, who also was appointed to the Regional Chief Ethics and Compliance
Officer for Eurasia, was the first member of the E&C team. Other team members were enrolled, some
of whom already worked at Telia in areas of effective compliance (e.g., training on the company’s
conduct code or supporting the Procurement Department on sustainability issues). A few team
members were recruited externally when specific competences were not available internally.
The central E&C team consisted of ten team members who worked at the group and regional levels
plus seven local E&C Officers, each representing a Eurasian country. In total, 17 people were on the
team. To ensure that the E&C team produced high-quality work, the CECO required that each team
member meet continuing education and international certification standards.
The E&C function was the owner of the ABC Program. The CECO states:
This [structure]is very common because ABC is “the mother” of all compliance regulation and work.
Moreover, at Telia, the E&C team had the necessary skills and background to conduct a program that
was long overdue.”
Other employees and teams with competence and knowledge related to other responsibility topics (e.g.,
Freedom of Expression and Customer Privacy) took ownership of their programs. They provided
guidance on the Ethics & Compliance requirements and on the concept of Responsible Business.
Policies, Instructions, and Guidelines
A policy is normally a written document of rules issued by the board of directors, a company’s highest
governance level. The next governance level, the executive level or similar level, issues instructions that
explain the rules to the employees. Some companies have additional guidelines issued by managers who
are responsible for various areas/departments. These guidelines describe the instructions in greater
detail.
This hierarchy of rules, instructions, and guidelines is commonly referred to as “policies/instructions”.
Formalized processes may explain how the policies/instructions are to be implemented (e.g., in the
decision-making chain). The CECO states:
It is important to point out that “policies/instructions” are the binding rules for behavior in the
company . . . for how things are done. Addressing this hierarchy of “rules” from an anti-corruption
perspective is where the E&C work started.”
At Telia, more policies/instructions were soon added to the original policies/instructions. There were
instructions for gifts and hospitality, interactions with government officials, sponsorships, donations,
and other philanthropic contributions. Other instructions covered internal investigations, corrective
12
and disciplinary actions, procurement, third-party policies, and mergers and acquisitions. The E&C
team, which had ownership of the ABC Program, was responsible for introducing and monitoring the
common framework of rules. The process covered all areas of Telia’s business its various functions
and layers. The CECO comments:
“The Telia E&C team spent a lot of time “anchoring” internally. Because of the pressure of the
looming DOJ/SEC proceedings, the team sometimes despaired and just wanted to resist. Maybe this
was done at one point or another. However, the idea was to aim for as much internal buy-in as
possible. Internal buy-in on the documents would make the transition from words to actions
somewhat smoother.”
The policies/instructions in the ABC Program explained Telia’s position as a responsible business on
criminal activities such as bribery and corruption. The E&C team ensured that all employees could
access the company’s rules, instructions, and guidelines. The team even disseminated a document to
selected employees. These employees were required to sign that they had read and understood Telia’s
new policies/instructions (pull and push capability).
In 2014 and 2015, Telia’s upper-level management introduced group-wide policies and instructions on
responsible business behavior. These documents covered, in addition to anti-corruption, areas such as
Freedom of Expression and Privacy, People, Health and Safety, Environment, Insider Trading, Anti-
Trust, Company Assets, and Travel. In 2016, The E&C team introduced the new Code of Responsible
Business Practices (see below: The Telia Code of Responsible Business Behavior).
Rules are only as strong as their enforcement. To ensure that rules are taken seriously, a process is
needed for how to make and forward exception requests. The reasons for exceptions must be clearly
and transparently stated at the appropriate corporate level. The Head of the ABC Program states:
Every exception will undermine the rules and the work morale of those whose job it is to maintain
the rules, to keep the company out of trouble, and to develop responsible business practices.
Therefore, we should be mindful of recurring exception requests that strongly indicate the rules are
not taken seriously.”
An action or behavior that may not be illegal, given the particular facts and circumstances, may well be
illegal when the situation changes and other facts are revealed. Telia learned this lesson the hard way.
The problem actions and behaviors for Telia in Uzbekistan occurred in 2006, but they were not
revealed and challenged until some six or seven years later. The CECO states:
Business ethics should not be considered as an “impact cushion”. Nor should business ethics be
considered a “margin” in the framework of corporate rules when difficult situations require asking for
a legal opinion. Ethics, which are the foundation of legislation describe the common view of right and
wrong while legislation is just an interpretation. Ethics explain why we have legislation. This
explanation of why allows you to have a better grasp of the law, to recognise the limitations of the law,
and to understand why laws may change over time.
13
The Telia Code of Responsible Business Conduct
A Code of Conduct is an umbrella document.” This
umbrella provides easy access and easy under-
standing of the requirements and rules a company
issues for conducting responsible business. The
CECO explains the commonly accepted view of
such codes:
A Code of Conduct should be engaging, modern,
and accessible. As an umbrella, the Code should
stand on a firm ground of policies/instructions.”
Telia’s new Code of Responsible Business Conduct
(hereafter, the Code) was made accessible to
employees by an app with links to the relevant
policies/instructions that encouraged them to
explore all details if and when needed. The Code was
internally anchored by the close involvement of the
owners of the different polices/instructions. The Legal Department was the owner of the Antitrust
Framework; Security was the owner of the Privacy Framework; Human Resources was the owner of
the People Framework; and so on. The executive leadership was the ultimate owner of all rules,
instructions, and guidelines. The Board was the owner of all policies.
Because transparency was essential in the implementation process of the new policies/instructions, the
new Code was posted on Telia’s homepage, under the heading “dontdothisatwork”.
The CECO states:
What applies in your own company should also apply to your third parties and others
who represent the company.
However, many companies, including Telia, have a separate Code of Conduct for third parties.
Normally such a code would be unnecessary except when an individual Code of Conduct is needed for
suppliers where there are specific requirements and topics applicable to third parties. For example,
although Telia has modern, comfortable, and secure offices, equipped with all necessary equipment,
some of its suppliers are located in countries where the workplace is quite different. In these countries,
local industry and labor legislation is not nearly as advanced as in Sweden. For this reason, Telia must
be specific in setting third-party requirements.
Telia also has rules on how to conduct supplier due diligence and how to determine supplier ownership
(and for other third parties). Application of these very specific rules may require lengthy deliberations
and difficult decisions in local environments. Sometimes difficult decisions are escalated to the higher
management levels. Telia also provides specific guidance on how to interpret the requirements
developed for third parties. This guidance also explains when and how exceptions can be made to the
rules.
In 2013, a top priority for the new CEO was to establish stronger governance over Telia’s operations in
14
Eurasia. At this time, the group policies/instructions were generally inapplicable at the Eurasian
companies. Local boards of directors had oversight responsibility rather than Telia’s group
management. Although Telia held a majority stake in these companies, a structured process did not
exist that ensured Telia’s policies/instructions were applied. However, by Spring 2014, when Telia’s
group management had assumed responsibility for, and authority over, the Eurasian companies, its
group policies/instructions were also implemented.
Education and Communication
Telia provided its employees with training on anti-corruption and other responsible business topics.
The training modules, which were evaluated annually, were designed for employees in various
positions. Some training sessions were voluntary while others were mandatory. The HR Director states:
Training is a powerful tool for creating understanding of ethical issues and for building an ethical
culture.”
Originally, the E&C team prioritized face-to-face training. The CECO explains:
“The value of direct interaction with the opportunity to discuss questions and dilemmas in a real
setting cannot be measured in monetary terms. We are convinced of that idea. By far, a real setting for
a discussion exceeds any cost of a face-to-face session.”
After the introduction of the Code, the E&C team introduced e-learning training sessions on the Code
and the various areas of responsible business. This training used the same “look and feel” approach
that the Code took. This approach emphasized that the Code and its rules, processes, training sessions,
and future implementation were parts of a common effort to build responsible business.
Crisis management, when corruption is involved, is more than just explaining why an anti-
corruption program is essential. Although a company in such a crisis is at risk of prosecution,
executive incarceration, and large fines for bribery and kleptocracy, perhaps its main concern is the
damage to its reputation, especially if human rights have been abused.
The E&C team was convinced that decisions and actions were more critical than words and statements.
A culture of business ethics had to be created: a culture of “doing the right thing. The Head of the
ABC Program explains:
It is easy to make the right decision when everything is equal, when you focus only on the ethical
aspects. However, the reality is more complex because there are several factors that influence our
decision-making. We may even be unaware of some of these factors. Our decisions may also be
influenced by group and time pressures, fear of failing, short-sightedness, and faulty assumptions.
That is why we need to train employees in ethical decision-making.
15
The E&C team worked diligently and professionally to illuminate the problem they call “ethical
blindness.
5
This is a term used to describe how individuals can be influenced by factors that may
momentarily “blind” them from doing the right thing, making the right choice, and taking the right
decision. This “blindness” can occur at all levels of an organization. Through a systematic training
program Telia’s leaders were trained to understand how ethical blindness worked.
Yet it is questionable whether ethical blindness is an acceptable excuse for bad decision-making. The
CECO states:
We all have to be accountable for what we do. However, a better understanding of the difficulties
encountered in making the right choices and decisions will, we believe, support building a culture of
ethics and integrity and will help our leaders understand themselves and others better in situations
where there are friction and uncertainty.”
As part of the training, the E&C team made a list of problematic dilemmas identified in Telia’s
operations. This list was used in an “ethical dilemma game” that the participants played in groups. They
found the game engaging and provocative because it encouraged transparent discussions on alternatives
decisions and actions in specific dilemmas.
Due diligence and third-party management
When the E&C team began work in September 2013, there were as previously mentioned several
ongoing investigations. As the work continued, the team members learned more about the company’s
operations and the severity of its business culture problem. Throughout the process, several managers
were asked to resign. Others left Telia voluntarily.
As the months passed, the E&C team members realized that the time and effort needed to fix the
5
Ethical blindness describes the moral condition that allows anyone to become involved in unethical/illegal behavior. The
general belief is that personal character does not explain such behavior; rather, the context may be the explanation. The
context can be stronger than the individual and the individual’s moral compass. Influenced by the context – organizational
pressure (e.g., fear of failure or ridicule) or situational pressure (e.g., time, group, or authority pressure) people may look at
the world through a filter that prevents them from seeing things clearly. At that moment, they are momentarily ethically
“blind”.
16
problem” would be significantly greater than they had anticipated. During Spring 2014, the E&C team
understood that it would be evaluated in accordance with the highest standards and requirements of
effective compliance. The team members understood they would be running the ABC Program while
the company was under criminal investigation by three authorities. The CECO recalls:
You cannot sit in front of the DOJ lawyers and not know how to answer the following very
reasonable question: ’Do you know, as we speak, that you are not paying bribes?’ Indeed, it is hard to
blame any ongoing wrongdoing on the previous management. The responsibility lies with the new
management and with us.”
The E&C team had a fast start under the ABC Program. The team was working with the following
activities and areas: a fix-it remedial list, risk assessments, a new organization, new governance
structures, new policies and instructions, a new speak-up line and investigation process, training
sessions, and e-learning.
The Finance Department handled payment reconciliations with companies at the group and subsidiary
levels, introduced new risk catalogues and controls, and strengthened the Procurement Department
(that now encompassed all Telia group companies). Despite these actions, after one year it was clear
that Telia still lacked satisfactory control over third parties. Telia could not always account for who was
the beneficiary of a particular supplier. Who received payments and why? The documentation and
control were simply inadequate. Thus, neither the E&C team nor Telia management could answer the
following questions affirmatively: Do you know that you are not paying bribes as we speak?” The
CECO states:
It may seem unfair that a company has to be so certain, given you are speaking for an entire
organization and for third parties. However, the authorities are not very forgiving. They do not accept
the idea of the rogue employee or of third parties who act irresponsibly, unethically, or illegally
without your knowledge. The conduct of the employees and third parties is simply a company risk.
You have to take a leap of faith when you answer questions knowledgeably about the processes and
procedures in place, providing assurance that they are working. You have to answer: ‘Yes, we have
done everything in our power to detect and prevent any misconduct.”
Telia realized it needed new processes for the third parties it worked with. An examination of the entire
history of its dealings with vendors, distributors, consultants, agents, and other third parties was
needed. The E&C team called this historic examination “the backlog”. To manage the backlog, the
E&C team had to develop and implement processes for due diligence of third parties, country by
country, and contract by contract. This required the involvement of people from the Finance,
Procurement, and Legal Departments.
As the team members had the right competences for this task, initially they created a “due diligence”
function in the E&C team. The E&C team eventually turned over this third-party due diligence
function to the Procurement Department that by then had built relevant processes and competences.
The function was now called “Responsible Procurement. This function also recruited local Due
Diligence officers in the Eurasian countries. The CECO summarizes the work:
Building this competence and implementing these controls at the local level in each country took a
lot of dedication, patience, and perseverance from all involved.”
17
The third-party category also includes the organizations Telia associates with through sponsorships, donations,
and philanthropy. The CECO explains:
In fact, these areas have high-risk activities where corruption and bribery are temptations. In
countries where the government engages in systematic kleptocracy, officials do not hesitate to require
companies to support a particular organization or another local, so-called not-for profit or charitable
organization. Companies feel compelled to contribute, but they do not know where the money goes,
and they have no control over it. The risk of bribery is very high.
In Telia, third parties involved in the company´s M&A activities were where the real problems started.
The problems originated when certain essential checks were not made (e.g., ownership structures,
financial examinations and controls, and operations). Telia adopted new policies and processes
intended to ensure that all M&A activities were handled by the professional M&A team, consistent with
the M&A instructions (the M&A Handbook).
The CECO admits that third-party management is the most difficult task of the compliance program. It
is here that the E&C team struggled to overcome internal differences and to meet external challenges.
She states:
There are so many conflicting interests. The processes take time and, inevitably, from time to time
cause irritating and even, as far as day-to-day operations, harmful delays. Suppliers who are preferred
and may have been reviewed many times, over many years, may still not be acceptable from a
compliance point of view. You may lack alternative suppliers. You may experience pressure from the
government or influential people to work with a specific supplier. The list of possible friction areas is
long. It takes time and resources to build confidence in the competence and integrity of suppliers, so
the road to effectiveness is long and bumpy. However, third-party management is the most important
area of responsibility with the highest level of risk. Globally, it is reported that 90 % of the corruption
cases in the US (FCPA cases) involve third parties. The third-party management problem requires the
full support of executive management and the Board.
Whistleblowing, Speak-Up, Non-retaliation
During the Fall and Winter 2013-2014, Telia introduced and operated an externally hosted Speak-Up
line, accessible from any location, in all relevant languages with anonymity assured. A link to the Speak-
Up line was posted prominently on the company’s Intranet and on its Internet homepage. Speak-Up
could be accessed by both internal and external parties who wished to report their concerns about
possible misconduct. The E&C team appointed a Special Investigations Office to receive, log, and
manage incoming whistle-blower reports. Nothing similar had been in place and as soon as the Speak-
Up line was launched, there was a surge of whistleblowing activity.
Normally, many whistle-blowers’ concerns are too vague to act upon. Many come from disgruntled
employees who complain about their managers. However, the E&C team also got reports of serious
wrongdoing (e.g., instances of fraud, conflicts of interest, and bribery). The team members also learned
about wrongdoing that had been reported earlier but had been disregarded or managed in a manner
that disappointed the reporter. The team members concluded in these instances that Telia had the will
but not the means to deal with these complaints.
The most important factor that deters people in a company from speaking up is their fear of retaliation.
18
Retaliation can take many forms, such as being bypassed for a promotion or losing popularity and
respect in the group. The period of retaliation may be brief, but it may also last for some time. In the
latter instance, retaliation may turn into systematic mistreatment that only ends when the victim leaves
the company.
The CECO states:
“Retaliation is very hard to put your finger on or to prove. It is important to keep in mind that we are
all human beings who want to be liked and respected. We rely on the group. We want to be part of
the group. Our survival depends on that even in the corporate context.”
The ABC training at Telia included a reminder that employees were strictly prohibited from retaliatory
actions and that they had an obligation to report any retaliation observed or experienced.
6
Telia also opened the Speak-Up line for external reporting of human rights violations. This is called a
Human Rights Grievance mechanism where the company offers employees a channel for reporting
situations where the human rights of an individual or group may have been violated. Such cases are
reported to upper management and the Board.
Telia also reports on the whistleblowing cases and their disposition in its annual Sustainability Report.
The Head of the ABC Program states:
“One’s instinct may be to say and report as little as possible about these cases, especially the cases that
lead to disciplinary actions. From an effective compliance perspective, the opposite is true. Since an
effective compliance program thrive on transparency, it is crucial to show that it is never okay to
violate common rules and good behavioral expectations and that whistleblowing reports leads to
action and consequences.
Special Investigations, disciplinary / corrective actions
The E&C team knew that the second most important factor that deters people from speaking up is
their belief that no action will be taken. If nothing happens anyway, why should I expose myself to the
uncomfortable consequences of speaking up?” This is a fair question that highlights the importance of
high-quality internal investigations. Telia’s investigations (by MSA in 2012-13 and NRF in 2013-14)
exposed some significant deficiencies in Telia’s governance, controls, and compliance. Red flags were
raised that warned of possible corruption and other wrongdoings related to the ownership issues in
Uzbekistan. Thus, when Telia, among other actions, put in a new management team, created the E&C
team, established the Special Investigations Office, published a new Code of Responsible Business
Conduct, revised its “policies/instructions,” began a review process of Eurasian contracts, and re-
examined its third-party relationships (and made many of these actions public), it seemed clear that
actions had been taken.
6
The difficulties associated with speaking up, retaliation, humiliation, and sometimes finding yourself unemployed have led
several authorities (e.g., the DOJ and the Internal Revenue Service (IRS) in the US) to pay large monetary rewards to
whistleblowers whose cases have been substantiated. While the issue of whistle-blower protection has been discussed in the
EU, there is no formal system in place.
19
The CECO comments:
The job of special investigations is a tough job. It requires intelligence, experience, and integrity. It
also requires the ability to work under pressure and to produce reports that people can understand. As
a special investigator, you will sometime be the bearer of bad news. Then you may risk getting shot
down.”
The E&C team, as soon as it was created, suspected hard work lay ahead, primarily in the operations in
Eurasia. The experiences reported by other companies in similar situations indicated that “one corrupt
act leads to another.There was no reason to believe that Telia was an exception. The team knew it
was essential to communicate this concern to upper management.
An effective ethics and compliance program should have the highest level of engagement and
commitment at all levels in an organization. This commitment will be crucial when difficult ethical
dilemmas arise and when decisions have to be made that result in disciplinary actions. The Head of the
ABC Program explains:
Two of the first questions a regulator will ask in an investigation of your anti-corruption program
are the following: ‘Have all the perpetrators left the company?’ and ‘How many people have been
dismissed or disciplined due to misconduct?’”
Disciplinary actions are the most challenging part of the ethics and compliance work. The Head of the
ABC Program states:
“All the hard work of making risk assessments, building an organization, working with policies and
procedures, evaluating third parties, and training people will be in vain if the implicated employees are
not identified and the managers responsible for the misconduct are allowed to keep their positions.
She adds:
The delegation of disciplinary action in the organization sends the wrong message, increases the
friction at lower levels owing to insufficient top management direction, and possibly jeopardizes the
effectiveness of ethics and compliance work as well as the efforts exerted to build a culture of ethics
and integrity.”
Neither the E&C team nor the Special Investigations Office had responsibility for any disciplinary
actions. A special management forum, “the Ethics Forum, consisting of executive management
members made the final decisions on whether disciplinary actions were required. Disciplinary actions
could be oral warnings, formal written warnings, dismissal, demotion, or change in responsibilities. In
addition, in some instances, additional training to encourage behavioral change was required.
Improvement / audit / report
Telia’s E&C team experienced constant pressure to issue progress reports on the E&C results,
especially results from the ABC Program. This was both a blessing and a curse. The pressure forced
the team to use Key Performance Indicators (KPI) that were meaningful to the wider audience
interested in the company. From a positive perspective, the pressure to report to the Board, the
shareholders, and the analysts prepared the CECO and the Head of the ABC Program for reporting to
the DOJ, the SEC, and the Dutch and Swedish prosecutors. The CECO admitted that under strong
20
external and internal pressure, It can be very tempting to avoid reporting or disclosing things that are
not so good or in a bad state.”
At its AGM in 2015, Telia had an open “pre-meeting” that dealt with sustainability reporting with a
question and answer forum. The E&C team members talked about the challenges and difficulties they
had encountered in implementing responsible business, particularly with third-party matters. The same
approach had been taken in the 2014 Annual Report. In other words, Telia was trying to increase its
credibility among its external stakeholders by courageously and openly revealing its weaknesses as well
as its areas of improvement. The CECO explains:
We believe that transparency is the most effective way to govern a company from a responsible
business perspective. Transparency provides the stakeholders with information and takes away the
expectation that management can work miracles.
The Telia Board and the executive management group have ultimate oversight over the responsible
business programs. The CECO speaks for the E&C team:
This is as it should be; the fewer filters between the E&C team and the Board, the more
effective the program.
Working with the Internal Audit Department, the E&C team identified areas where the team could
submit proposed actions to upper management. The CECO also engaged an external compliance
consultant to help the team understand its weaknesses and to help prioritize activities during its work.
In addition, the E&C team engaged a US-based ethics institute to evaluate and benchmark the
compliance programs. In combination, these actions supported the implementation process and
prevented rushed work and poor prioritization.
The CECO acknowledges that sometimes the external environment can be so challenging that it seems
impossible, or nearly impossible, to implement responsible business practices without jeopardizing the
whole company. Working with other companies in collective actions may then increase the chances
of success. Because the telecommunications industry has many interactions with governments and
government officials (e.g., on matters related to licenses, frequencies, and assorted approvals), Telia
initiated an industry collaboration the Telecom Industry Integrity Initiative” in cooperation with
Transparency International).
Telia also had a joint initiative with the anti-corruption agency, TRACE International, to award a
scholarship to a student from the former Soviet Union for anti-corruption studies at a top university in
the UK or the US. The CECO explains:
The root causes of behavioral risks are to some extent external to the company. Collaboration with
peers and other institutions can be one key to progress.”
Tone from the top
The framework for E&C team refers to the “tone from the top”, which means that an effective
compliance program requires that a company’s top management and its board of directors understand
and support all aspects of effective compliance. This includes acknowledging the existence of, and
understanding, the consequences of the many frictions and dilemmas that occur when implementing
21
effective compliance. There is a reason for positioning leadership at the core of the framework. The
“tone from the top” is not a marketing/public relations slogan. It is a clear and affirmative statement of
what a company’s upper management and board actually decide and do. The CECO summarizes:
Leaders set the tone used to handle the frictions and dilemmas. Every decision and every action
matter when building a culture of business ethics. Responsible business requires steadfast adherence
to your principles. The “tone form the top” is not just set at the very “top” where we find the
executive management and the board. The tone is confirmed at all management levels of a company.”
Epilogue
On September 21, 2017, Telia entered into a DPA (Deferred Prosecution Agreement) with the DOJ
(US Department of Justice), the SEC (US Stock Exchange Commission), and the DPPS (the Dutch
Public Prosecution Service). By the terms of this agreement, Telia admitted criminal violations of
bribery. Telia had to pay a total of $965,603,972 in criminal penalties and disgorgements.
Despite the seriousness of the crime, as reflected by the very large financial penalty, Telia was awarded
full credit (25% off the otherwise-applicable US Sentencing Guidelines fines range) for its cooperation,
for its extensive remedial measures, for its creation of a new, robust, and company-wide compliance
function, for implementing a comprehensive anti-corruption program, and for completely revising its
corporate governance structure.
In a rare statement, the DOJ further determined that, based on Telias remediation and the state of its
compliance program, an independent compliance monitor was unnecessary.
On December 5 2018, Telia announced that it had sold its interest in the Uzbek subsidiary for
$215,000,000 to the State Committee of the Republic of Uzbekistan for Assistance to Privatized
Enterprises and Development of Competition, a governmental authority of the sovereign state of
Uzbekistan.
22
Appendix 1
Examples of frictions at Telia
During the implementation of the ethical and compliance framework at Telia, the E&C team learned
that the process caused friction at all company levels. In order to illustrate what kinds of problems that
responsible business has to address in a global company some examples of frictions that the E&C team
had to deal with are presented below.
How much transparency?
The risk assessments for Telia in 2013/ 2014 provided information that was helpful for understanding
the challenges and requirements of conducting business responsibly in Eurasia. These assessments
clearly raised some very significant questions as to whether Telia, in some ways, supported a corrupt
dictatorial regime that had little respect for human rights. The risk assessments explained how much
work and time were needed to operate reasonably responsible business in Eurasia. Some proof points
revealed that some progress had been made, especially as a result of the strong pressure from investors,
owners, and other stakeholders. However, the risk assessments were troubling and insulting to the
controlling authorities in countries where Telia had operations, to local co-shareholders, and to many
employees. Consequently, many different opinions were expressed about the risk assessments report.
Who should have this information? How should it be presented and shared?
Exceptions to the rules
Telia wanted to export a smartphone to Country X and bundle it with Telia services. In Country X,
Company C had a monopoly on the importing of mobile phones. In its due diligence of Company C,
Telia uncovered some disturbing information that sent up significant red flags relating to company
ownership. From a strictly legal point of view, the ownership structure did not seem illegal. Telia went
ahead with its work with Company C. The Smartphone was really THE mobile phone, but without a
telecom operator to support it, it was rather useless. What do you do? Do you consider only the legal
opinion that was issued by a reputable law firm? And what are the possible consequences when
exceptions are made to the rules?
Consequences of kleptocracy
In Uzbekistan, local companies are expected to participate in building and strengthening society by
their sponsorships and donations to charitable organizations. However, companies do not participate in
such activities voluntarily. When asked, they cannot refuse. A company that refuses is likely to
experience difficulties in its day-to-day operations (e.g., revoked work permits, prolonged license
application processes, and creative enforcement of tax laws). Each year companies receive demands for
large payments to sports teams, education organizations, and various charitable entities. The
contributions are paid to official bank accounts, but there is no real accounting of how the money is
spent. Should a company pay? What happens if it doesn’t pay? Are a company’s rules on sponsorship
and donations, which require full transparency on how the funds are used, applicable in countries such
as Uzbekistan? Are there security risks involved if payments are not made? What does an “official”
bank account mean in a country where public officials own or represent the bank?
23
Silent resistance
In setting up the E&C team at Telia, the team met employees who wanted to join the team, they met
managers and employees who wanted to support the team’s efforts and welcomed the initiatives.
However, they also met managers and employees who were not convinced that the matter concerned
them. Some employees felt insulted and provoked by statements and criticisms related to “change”,
“ethics”, and “responsibility.” It seemed that the new Board, the new management, and the new E&C
team were all sending a message to the employees that they had somehow fallen short of company
expectations. Some employees were very outspoken in their resistance. Many of the employees who
were most resistant eventually left the company. Nevertheless, “silent resistance” persisted. It is
difficult to predict what will happen to the silent resistance. Will it disappear now that the scandal has
been resolved? Will it disappear when people embrace the changes?
ResearchGate has not been able to resolve any citations for this publication.
ResearchGate has not been able to resolve any references for this publication.